Author: tushar
Date: 2005-08-07 20:55:30 -0600 (Sun, 07 Aug 2005)
New Revision: 979
Added:
trunk/OLD/automount.txt
trunk/OLD/iproute2.txt
trunk/OLD/kerberos.txt
trunk/OLD/lzw_graphics.txt
trunk/OLD/nfs.txt
trunk/OLD/pam+shadow+cracklib.txt
trunk/OLD/ppp-hint.txt
trunk/OLD/sendmail-2.txt
trunk/OLD/shadowpasswd_plus.txt
trunk/OLD/shells.txt
Removed:
trunk/PREVIOUS_FORMAT/automount.txt
trunk/PREVIOUS_FORMAT/iproute2.txt
trunk/PREVIOUS_FORMAT/kerberos.txt
trunk/PREVIOUS_FORMAT/lzw_graphics.txt
trunk/PREVIOUS_FORMAT/nfs.txt
trunk/PREVIOUS_FORMAT/pam+shadow+cracklib.txt
trunk/PREVIOUS_FORMAT/ppp-hint.txt
trunk/PREVIOUS_FORMAT/sendmail.txt
trunk/PREVIOUS_FORMAT/shadowpasswd_plus.txt
trunk/PREVIOUS_FORMAT/shells.txt
Log:
Move really old hints to OLD
Copied: trunk/OLD/automount.txt (from rev 975, trunk/PREVIOUS_FORMAT/automount.txt)
Copied: trunk/OLD/iproute2.txt (from rev 975, trunk/PREVIOUS_FORMAT/iproute2.txt)
Copied: trunk/OLD/kerberos.txt (from rev 975, trunk/PREVIOUS_FORMAT/kerberos.txt)
Copied: trunk/OLD/lzw_graphics.txt (from rev 975, trunk/PREVIOUS_FORMAT/lzw_graphics.txt)
Copied: trunk/OLD/nfs.txt (from rev 975, trunk/PREVIOUS_FORMAT/nfs.txt)
Copied: trunk/OLD/pam+shadow+cracklib.txt (from rev 975, trunk/PREVIOUS_FORMAT/pam+shadow+cracklib.txt)
Copied: trunk/OLD/ppp-hint.txt (from rev 975, trunk/PREVIOUS_FORMAT/ppp-hint.txt)
Copied: trunk/OLD/sendmail-2.txt (from rev 975, trunk/PREVIOUS_FORMAT/sendmail.txt)
Copied: trunk/OLD/shadowpasswd_plus.txt (from rev 975, trunk/PREVIOUS_FORMAT/shadowpasswd_plus.txt)
Copied: trunk/OLD/shells.txt (from rev 975, trunk/PREVIOUS_FORMAT/shells.txt)
Deleted: trunk/PREVIOUS_FORMAT/automount.txt
===================================================================
--- trunk/PREVIOUS_FORMAT/automount.txt 2005-08-06 18:12:57 UTC (rev 978)
+++ trunk/PREVIOUS_FORMAT/automount.txt 2005-08-08 02:55:30 UTC (rev 979)
@@ -1,219 +0,0 @@
-TITLE: Setting up Automount
-LFS VERSION: Any
-AUTHOR: R. Cort Tompkins <rtompkin at cs.odu.edu>
-SPECIAL THANKS TO:
- Tan Siong Hua <stsh at pd.jaring.my>
-
-SYNOPSIS:
- The mounting and unmounting of removable media is a tedious task,
-especially when it needs to be done by unprivileged users. Automount is a
-utility that will automatically unmount specified devices after a given
-interval, and then remount them automatically upon subsequent access. This
-makes the mount/unmount process relatively transparent to the end user.
-
-HINT:
-To get started you'll need a few things:
-1) Automount support in the kernel. This is compiled into the kernel by
-default unless you explicitly removed it during kernel configuration. If this
-is the case, reconfigure your kernel (i.e. "make menuconfig" in your kernel
-source directory) and enable Automount v4 as a built-in feature under the
-"File Systems" heading.
-
-2) The automount user utilities. Download the latest version 3 utilities from
-ftp://ftp.kernel.org/pub/linux/daemons/autofs (autofs-3.1.7.tar.bz2 at the time
-of this writing). Extract this archive and cd into it. Before compilation
-and installation, we'll take preemptive action to stop a compile-time error:
-
- $ cp modules/lookup_program.c modules/lookup_program.c.old
- $ sed "s/OPEN_MAX/FOPEN_MAX/" modules/lookup_program.c.old > \
- modules/lookup_program.c
-
- $ ./configure --prefix=/usr --sbindir=/sbin
- $ make
- $ make install
-
-If you look in the sample subdirectory, you'll find rc.autofs, a startup script
-designed to help automate the automounting process. Use this if you wish, but
-I will give instructions for creating a slightly simpler script which should
-help you better understand the workings of automount.
-
-First we'll create the script itself, as root:
-
-$ cat > /etc/rc.d/init.d/auto_mount << "EOF"
-#!/bin/bash
-# Begin /etc/rc.d/init.d/auto_mount
-#
-# Automount script by Cort Tompkins - rtompkin at cs.odu.edu, derived
-# from ethnet script by Gerard Beekmans - gerard at linuxfromscratch.org
-
-source /etc/rc.d/init.d/functions
-
-case "$1" in
- start)
-
- for mountspec in $(/bin/ls /etc/sysconfig/automount-config/*.auto)
- do
- source $mountspec
- MOUNT_BASE=${mountspec%.auto}
- echo "Starting automount for group ${MOUNT_BASE##*/} ..."
- /sbin/automount --timeout=${TIMEOUT} $MOUNTPOINT file \
- $MOUNT_BASE.map
- evaluate_retval
- done
- ;;
-
- # assume all instances of automount were started by this script
- stop)
- echo -n "Stopping automount ..."
- # Unmount everything mounted by automount
- /bin/killall -USR1 automount
- /bin/killall automount
- evaluate_retval
- ;;
- restart)
- $0 stop
- sleep 1
- $0 start
- ;;
- *)
- echo "Usage: $0 {start|stop|restart}"
- exit 1
- ;;
-esac
-# End /etc/rc.d/init.d/auto_mount
-EOF
-
-Please resist the temptation to name the startup script "automount." This
-means that the script will get the same kill signals we send to automount
-proper.
-
-Give the script proper permissions:
-$ chmod 754 /etc/rc.d/init.d/auto_mount
-
-Since I use automount for network shares, I only want it to be running when
-in a networkable state. On the very rare occasion that you find yourself in
-an unnetworked runlevel, you can always mount your removable devices manually.
-$ cd /etc/rc.d
-$ for rl in $(seq 0 2; echo 6); do
- > cd rc${rl}.d
- > ln -s ../init.d/auto_mount K45auto_mount
- > cd ..
- > done
-$ for rl in $(seq 3 5); do
- > cd rc${rl}.d
- > ln -s ../init.d/auto_mount S25auto_mount
- > cd ..
- > done
-
-Create the sysconfig directory that the script will use:
-$ mkdir /etc/sysconfig/automount-config
-
-Inside /etc/sysconfig/automount-config/, you'll create pairs of files for each
-group of devices you wish to automount. The format of the files is as follows:
-
-xxxx.auto:
-MOUNTPOINT=/path/to/mountdir
-TIMEOUT=999
-
-xxxx.map:
-MOUNTNAME -fstype=FSTYPE[,OPTIONS] :/path/to/device
-MOUNTNAME -fstype=FSTYPE[,OPTIONS] :/path/to/device
-
-DO NOT create the "MOUNTNAME" directory under the "MOUNTPOINT" yourself.
-Automount will create and remove this directory as needed.
-
-The format of the .auto files is arbitrarily determined by the workings of the
-auto_mount script; more information on the format of the .map files can be
-found using "man 5 autofs". The OPTIONS used in the .map file are the same
-options you would pass to mount with the -o flag. Note that you can have
-multiple entries in a .map file, but they will all assume the same mountpoint
-and timeout specified in the corresponding .auto file of the same prefix. The
-auto_mount script can handle any number of .map/.auto pairs (so long as the
-pairs both have the same prefix). Here are some examples:
-
---
-cdrom.auto:
-MOUNTPOINT=/mnt
-TIMEOUT=5
-
-cdrom.map:
-cd -fstype=iso9660,ro :/dev/cdrom
---
-The above pair will automount /dev/cdrom at /mnt/cd with a timeout of 5
-seconds. This means that after five seconds of inactivity the cdrom device will
-be automatically unmounted, allowing you to put in a new CD to be automatically
-remounted upon subsequent access. You can verify this after initializing
-automount:
-
-$ ls /mnt/cd; mount
-
-You will see that the cdrom is mounted. Wait five seconds.
-
-$ mount
-
-If everything is working properly, automount will have unmounted the cdrom.
-Subsequent access to /mnt/cd will cause it to be remounted.
-
-Most CD drives lock their CD trays while mounted, preventing you from removing
-the media while the drive is mounted. Floppy drives, on the other hand, have
-no such protection; it is best to keep their timeout value as small as possible:
---
-floppy.auto:
-MOUNTPOINT=/mnt
-TIMEOUT=1
-
-floppy.map:
-flop -fstype=auto :/dev/fd0
---
-This mounts the floppy drive at /mnt/flop. Note that a timeout of 0 will
-disable the automatic unmounting altogether.
-
-Automount can also be used to mount network shares:
---
-samba.auto:
-MOUNTPOINT=/smb/win2kbox
-TIMEOUT=300
-
-samba.map:
-c -fstype=smbfs,username=samba,password=xxxx ://win2kbox/c
-d -fstype=smbfs,username=samba,password=xxxx ://win2kbox/d
---
-The two samba shares specified will be automounted at /smb/win2kbox/c and
-/smb/win2kbox/d
-
-One final note of caution (from the autofs man page):
-
-UNSUPPORTED:
- The automounter does not support direct maps or mount
- trees (more than one file system to be mounted under a spe-
- cific automount point)...
-
-This (unfortunately) means that you can't have separate
-.auto/.map pairs with the same MOUNTPOINT. Thus, the individual
-floppy and cdrom examples used above cannot be used together! The
-best alternative in this case is to combine them into one file pair:
-
---
-removables.auto:
-MOUNTPOINT=/mnt
-TIMEOUT=1
-
-removable.map:
-cd -fstype=iso9660,ro :/dev/cdrom
-flop -fstype=auto :/dev/fd0
---
-
-The more adventurous among you may also consider compiling and
-installing automount v4 (beta). Its compilation and installation
-is virtually identical to that outlined above, with the
-exception of the patching of lookup_module.c (the first block of
-commands). Upgrading is as simple as:
-
- $ tar xvfj autofs-4.0.0pre10.tar.bz2
- $ cd autofs-4.0.0pre10
- $ ./configure --prefix=/usr --sbindir=/sbin && make &&
- make install
- $ /etc/rc.d/init.d/auto_mount restart
-
-Feel free to e-mail me with questions or suggestions.
-
Deleted: trunk/PREVIOUS_FORMAT/iproute2.txt
===================================================================
--- trunk/PREVIOUS_FORMAT/iproute2.txt 2005-08-06 18:12:57 UTC (rev 978)
+++ trunk/PREVIOUS_FORMAT/iproute2.txt 2005-08-08 02:55:30 UTC (rev 979)
@@ -1,344 +0,0 @@
-TITLE: Iproute2 and traffic shaping
-LFS VERSION: Kernel 2.4.20 and later versions
-AUTHOR: Marcos Zapata <zeta11 at hotpop.com>
-VERSION: 2003/08/20
-
-SYNOPSIS:
- How to compile iproute2 and some basic traffic shaping scripts for your LFS.
-
-HINT:
-Most linux distributions are starting to provide the iproute2 package,
-because of the new redesigned network subsystem implemented in kernels 2.2 and
-up. The old comands 'ifconfig' and 'route' are now been deprecated because of
-their faulty and unexpected behaviour under these kernels.
-It was written by Alexey Kuznetsov, who also wrote the routing code of the
-kernels 2.2 and up. This new routing and filtering code provides many advantages
-and features that weren't available before, and ip/tc are the tools to handle
-it. I won't be explaining traffic shaping with CBQ and HTB, just how to get them
-for your LFS. You'll find some links in references.
-
-
-This package requires db. If you don't have it, you can get it at
-www.sleepycat.com. For example: db-4.1.25 (actually, I've been using db-4.0.14
-without any problem), from:
-
-http://www.sleepycat.com/update/snapshot/db-4.1.25.tar.gz
-
-tar -zxvf db-4.1.25.tar.gz
-cd db-4.1.25/dist
-./configure --prefix=/usr --enable-compat185
-make
-make install
-
-now, we can continue with iproute2.
-
-
-Where to download it?
-ftp://ftp.inr.ac.ru/ip-routing/
-
-For the purposites of this hint, I'll be using:
-iproute2-2.4.7-now-ss020116-try.tar.gz and kernel-2.4.20.
-
-Starting with kernel-2.4.20 you can find HTB and CBQ packet schedulers. If you
-plan to use an older kernel (not recommended) you'll need to apply a patch to
-support it. Either way we'll need to get the patch for iproute to handle HTB:
-
-http://luxik.cdi.cz/~devik/qos/htb/v3/htb3.6-020525.tgz
-
-The compiling and instalation of these tools is very strait-forward:
-
-tar -zxvf htb3.6-020525.tgz
-tar -zxvf iproute2-2.4.7-now-ss020116-try.tar.gz
-cd iproute2
-
-#apply the patch
-patch -Np1 < ../htb3.6_tc.diff
-
-#if you want, edit Makefile to change some values like KERNEL_INCLUDE or
-#SBINDIR. You shouldn't need to if you've built LFS.
-
-make
-make install
-
-If you didn't edit Makefile, the tools should be in /sbin, the conf. files in
-/etc/iproute2 and the docs in /usr/doc/iproute2. Sadly, it doesn't include any
-man pages, you'll need latex and sgmltools to read the docs. I advised you to
-read them, to fully understand and use these powerful tools.
-
-Ok, now that we have ip and tc with HTB support we need to recompile the kernel.
-With 'make menuconfig' under 'Networking options', enable netlink and filtering
-support, also tunneling and multicasting. To enable traffic shaping, enable all
-the options in 'Qos and/or fair queueing' as modules. The exact options names
-may vary for the different kernel versions. Compile the bzImage and modules,
-install, and remember to add this new kernel to your lilo or grub conf. to start
-with this new configuration.
-
-If you built LFS 3.1 (I guess it could work with previous versions) you need to
-change the boot scripts: localnet and network in /etc/rc.d/init.d.
-
-localnet:
-
-look for 'loadproc ifconfig lo 127.0.0.1' in start), replace it with:
-ip addr add 127.0.0.1/8 dev lo
-ip link set lo up
-
-look for 'loadproc ifconfig lo down' in stop), replace it with:
-ip link set lo down
-ip addr del 127.0.0.1 dev lo
-
-look for 'ifconfig lo' in status), replace it with:
-ip addr show lo
-
-network:
-
-look for 'route add default gateway $GATEWAY metric 1 dev $GATEWAY_IF',...:
-ip route add default via $GATEWAY dev $GATEWAY_IF
-
-look for 'route del -net default', replace it with:
-ip route del default
-
-Also, the scripts in /etc/sysconfig/network-devices: ifdown and ifup.
-
-ifdown:
-
-look for 'ifconfig $1 down', replace it with:
-ip addr flush dev $1
-ip link set $1 down
-
-ifup:
-
-look for 'ifconfig $1 $IP netmask $NETMASK broadcast $BROADCAST',....:
-ip link set $1 up
-ip addr add $IP/$NETMASK broadcast $BROADCAST dev $1
-
-As you can see the ip command is very simple to use, and it's very similar to
-ifconfig and route. The only thing that changes is the NETMASK.
-
-You need to change NETMASK in /etc/sysconfig/network-devices/ifconfig.eth* :
-from 255.255.255.255 to 32
- .. 255.255.255.0 to 24
- .. 255.255.0.0 to 16
- .. 255.0.0.0 to 8
-
-so that ifconfig.eth0 (for example) looks something like this:
-ONBOOT=yes
-IP=192.168.100.254
-NETMASK=24
-BROADCAST=192.168.100.255
-
-
-Now, let's start with some traffic shaping scripts: cbq.init and/or htb.init
-and wondershaper.
-Both CBQ and HTB help you to control the use of the outbound bandwidth on a
-given link. Both allow you to use one physical link to simulate several slower
-links and to send different kinds of traffic on different simulated links.
-
-cbq.init:
-You can get it at http://sourceforge.net/projects/cbqinit. From one of the
-mirrors at:
-
-http://heanet.dl.sourceforge.net/sourceforge/cbqinit/cbq.init-v0.7.2
-
-mv cbq.init-v0.7.2 cbq.init
-chmod a+x cbq.init
-cp cbq.init /etc/rc.d/init.d
-mkdir /etc/sysconfig/cbq
-
-Remeber to add the symlinks in /etc/rc.d/rc*.d. All the explanations of this
-tool are in script: how it works, parameters, and a sample.
-
-htb.init:
-It's derived from cbq.init that allows for easy setup of HTB-based traffic
-control on Linux. You can get it at http://sourceforge.net/projects/htbinit. One
-of the mirros:
-
-http://keihanna.dl.sourceforge.net/sourceforge/htbinit/htb.init-v0.8.4
-
-mv htb.init-v0.8.4 htb.init
-chmod a+x htb.init
-cp htb.init /etc/rc.d/init.d
-mkdir /etc/sysconfig/htb
-
-Remember to add the symlinks in /etc/rc.d/rc*.d. Just like cbq, you can find all
-you need inside the script.
-
-You can use either one of them. CBQ is older, but it's still widely used. HTB is
-easier and more accurate.
-
-Wondershaper:
-I have a very crapy dsl conection and it really help me: mantaining low latency
-for interactive traffic and surfing while uploading.
-We can get it at:
-
-http://lartc.org/wondershaper/wondershaper-1.1a.tar.gz
-
-tar -zxvf wondershaper-1.1a.tar.gz
-cd wondershaper-1.1a
-
-There are two versions of the script, for CBQ and HTB. To start, you'll need to
-modify at the beginning: DOWNLINK, UPLINK and DEV. You'll also find a README in
-the same directory, please read it, it will help you understand what it really
-does and how to fine tunning it. Afterwards, to get them ready:
-
-cp wshaper wshaper.htb /usr/sbin
-
-That's it. You can reboot now and start using your LFS with these new tools.
-You shouldn't have much trouble setting it up. Good luck.
-
-
-REFERENCES:
-http://lartc.org/lartc.txt Linux Advanced Routing & Traffic Control:
-http://luxik.cdi.cz/~devik/qos/htb/ HTB Home page
-
-
-THANKS:
-Daniel Thaler <daniel at dthaler.de>: db headers, tc (wondershaper)
-lfs at vs.megalink.ru: db headers
-DJ Lucas <dj_me at swbell.net>: db headers
-Samual Walters <saltwater at madasafish.com>: db headers
-Diego Saravia <dsa at unsa.edu.ar>
-( Sorry for taking so long to correct the hint. )
-
-
-
-EXTRA: Automatic generation of broadcast addresses with LFS
-I was not sure to include this but here it goes, if it can be of any use...
-I was tired of calculating broadcast addresses, so i decided to modify the ifup
-script from LFS to do just that. It's not very clean and surely not the
-paradigm of programming but it works just fine. You've been warned!
-
-You need bc. Get it at:
-
-ftp://ftp.gnu.org/gnu/bc/bc-1.06.tar.gz
-
-tar -zxvf bc-1.06.tar.gz
-cd bc-1.06
-./configure --prefix=/usr
-make
-make install
-
-and rpncalc at:
-
-http://ftp.debian.org/debian/pool/main/r/rpncalc/rpncalc_1.33.3.tar.gz
-
-tar -zxvf rpncalc_1.33.3.tar.gz
-cd rpncalc-1.33.3
-./configure --prefix=/usr
-make
-make MKINSTALLDIRS=mkinstalldirs install
-
-The script:
-
----/etc/sysconfig/network-devices/ifup---
-
-#!/bin/sh
-
-source /etc/sysconfig/rc
-source $rc_functions
-source $network_devices/ifconfig.$1
-
-if [ -f $network_devices/ifup-$1 ]
-then
- $network_devices/ifup-$1
-else
- if [ -z $IP ]
- then
- echo "IP variable missing for ifconfig.$1, cannot continue"
- exit 1
- fi
-
- if [ -z $NETMASK ]
- then
- echo -n "NETMASK variable missing for ifconfig.$1, "
- echo "using 255.255.255.0"
- NETMASK=255.255.255.0
- fi
-
- if [ "`echo "$NETMASK" | grep "\."`" ]; then
- MASK=0
- for i in `seq 1 4`; do
- OC=`echo "$NETMASK" | cut -d'.' -f$i`
- for j in `seq 0 7`; do
- BIN=`echo "256-2^$j" | bc`
- if [ $BIN == $OC ]; then
- k=`echo "8-$j" | bc`
- let MASK=MASK+$k
- break
- fi
- done
- done
- else
- MASK=$NETMASK
- fi
-
- if [ -z $BROADCAST ]
- then
- if [ $MASK -lt 24 ]; then
- # Good luck!
- NETMASK=""
- MSK=$MASK
- DIF=`echo "256-2^(8-$MASK%8)" | bc`
- for i in `seq 1 4`; do
- let MSK=MSK-8
- if [ $MSK -gt -1 ]; then
- NETMASK=$NETMASK.255
- else
- if [ $MSK -lt -8 ]; then
- NETMASK=$NETMASK.0
- else
- NETMASK=$NETMASK.$DIF
- fi
- fi
- done
- NETMASK=`echo "$NETMASK" | sed -e "s/^.//"`
-
- BROADCAST=""
- for i in `seq 1 4`; do
- OC=`echo "$IP" | cut -d'.' -f$i`
- OC2=`echo "$NETMASK" | cut -d'.' -f$i`
- BROADCAST="$BROADCAST.`echo "$OC 255 $OC2 xor or" | rpncalc | cut -d' ' -f3`"
- done
- BROADCAST=`echo "$BROADCAST" | sed -e "s/^.//"`
- else
- # Calculo automatico solo para redes C
- CAN=`echo "2^($MASK-24)" | bc`
- OCTIP=`echo "$IP" | cut -d'.' -f4`
- OCT3IP=`echo "$IP" | cut -d'.' -f-3`
- BROADCAST=""
-
- for i in `seq 1 $CAN`; do
- RED=`echo "256/$CAN*($i-1)" | bc`
- BROAD=`echo "$RED+256/$CAN-1" | bc`
- if [ $OCTIP -gt $RED -a $BROAD -gt $OCTIP ]; then
- BROADCAST="$OCT3IP.$BROAD"
- break
- fi
- done
- fi
- fi
- if [ -z $BROADCAST ]
- then
- echo "Cannot calculate broadcast for ifconfig.$1, something is wrong"
- echo "Please check your IP=$IP and NETMASK=$MASK variables"
- exit 1
- fi
-
- echo "Bringing up the $1 interface..."
- ip link set $1 up
- ip addr add $IP/$MASK broadcast $BROADCAST dev $1
- evaluate_retval
-fi
-
----/etc/sysconfig/network-devices/ifup---
-
-
-This script will calculate the correct broadcast address from the ip address
-and netmask. It will work with all kinds of classes: A, B and C. Although,
-it will only "check" for a valid broadcast address from /24 to /32 and as you
-can see, you can now use NETMASK in ifconfig.eth* with a full address like
-255.255.255.192 or 26. To use it just comment out BROADCAST in ifconfig.eth*.
-Good luck.
-
-
-
-Zeta
Deleted: trunk/PREVIOUS_FORMAT/kerberos.txt
===================================================================
--- trunk/PREVIOUS_FORMAT/kerberos.txt 2005-08-06 18:12:57 UTC (rev 978)
+++ trunk/PREVIOUS_FORMAT/kerberos.txt 2005-08-08 02:55:30 UTC (rev 979)
@@ -1,373 +0,0 @@
-TITLE: Kerberos V
-LFS VERSION: any
-AUTHOR: Succendo Fornacalis <succendo at atlaswebmail.com>
-
-SYNOPSIS:
- Installing Kerberos V on clients and the KDC
-
-HINT:
-So, you want to run Kerberos eh? Or just curious what Kerberos is? Well in such
-a case I will give you my explanation of Kerberos. Kerberos is an authentication
-method developed by MIT that is based on tickets. Tickets, as you may know, are
-used in place of the users password, as well as very strong encryption to
-services like telnet. The Tickets are given out by a Key Distribution Center
-(KDC) and then used for authenticating to any other server within it's realm.
-So, in short, users send their password to the KDC, The KDC then gives them a
-Ticket granting Ticket or TGT encrypted using their password as the key. If
-their password is bad, then the TGT will be bogus. The TGT which expires at a
-given time, permits the client to obtain additional tickets. This gives
-permission to a specific service. If this hint is acward or just plain bad, let
-me know, or if I just suck at explaining something let me know that too, and
-Iâll make revision. I am, by no means, a writer so Iâm sure this could be
-better. And with that, good luck.
-
-
-CONTENTS
-========
-
- 1. Introduction
- 2. Installing Kerberos
- 3. Creating Configs
- 4. Adding Support
- 5. Creating Bootscripts
-
-
-Software used/mentioned/etc in this hint
-========================================
-Kerberos V: http://web.MIT.edu/network/Kerberos-form.html
-Samba 2.2.2: ftp://ftp.samba.org/pub/samba/samba-2.2.2.tar.gz
-OpenSSL: http://www.openssl.org/source/openssl-0.9.6b.tar.gz
-SSH: ftp://ftp.ssh.com/pub/ssh/ssh-3.0.1.tar.gz
-
-Installing Kerberos V
-=====================
-cd src &&
-/configure --prefix=/usr &&
-make distclean &&
-make &&
-make check &&
-make install
-
-If you want to keep everything after the LFS install seperatate, you can give it
-the prefix /usr/local. Just make sure you change the ./configure lines to
-/usr/local.
-
-This will compile the Kerberos tools, and a telnetd with kerberos support.
-
-Setting up KDC
-==============
-see man krb5.conf and man kdc.conf
-the config files are built much like a windows .ini file. The realm is usually
-the domain in caps. Below are commands that I used for my configs, only a few
-changes are needed.
-
-KDC Configuration:
-
-cat > /etc/krb5.conf << "EOF"
-[libdefaults]
- ticket_lifetime = 600
- default_realm = NOVASTAR.WOX.ORG
- default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
- default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
-
-[realms]
- NOVASTAR.WOX.ORG = {
- kdc = SockPuppet.novastar.wox.org:88
- admin_server = SockPuppet.novastar.wox.org:749
- default_domain = novastar.wox.org
- }
-
-[domain_realm]
- .novastar.wox.org = NOVASTAR.WOX.ORG
- novastar.wox.org = NOVASTAR.WOX.ORG
-
-[logging]
- kdc = FILE:/var/log/krb5kdc.log
- admin_server = FILE:/var/log/kadmin.log
- default = FILE:/var/log/krb5lib.log
-EOF
-
-cat > /etc/kdc.conf << "EOF"
-[kdcdefaults]
- kdc_ports = 88,750
-
-[realms]
- NOVASTAR.WOX.ORG = {
- database_name = /usr/var/krb5kdc/principal
- admin_keytab = /usr/var/krb5kdc/kadm5.keytab
- acl_file = /usr/var/krb5kdc/kadm5.acl
- dict_file = /usr/var/krb5kdc/kadm5.dict
- key_stash_file = /usr/var/krb5kdc/.k5.NOVASTAR.WOX.ORG
- kadmind_port = 749
- max_life = 10h 0m 0s
- max_renewable_life = 7d 0h 0m 0s
- master_key_type = des3-hmac-sha1
- supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
- }
-EOF
-
-To add Kerberos V4 support, add des-cbc-crc:v4 to the supported_enctypes line.
-
-add Kerberos to /etc/services with these commandi (note that there daemons can
-be run an any server within the relm):
-
-echo "kerberos 88/udp kdc # Kerberos V5 KDC" >>/etc/services
-echo "kerberos 88/tcp kdc # Kerberos V5 KDC" >>/etc/services
-echo "klogin 543/tcp # Kerberos authenticated rlogin"
->>/etc/services
-echo "kshell 544/tcp cmd # and remote shell" >>/etc/services
-echo "kerberos-adm 749/tcp # Kerberos 5 admin/changepw"
->>/etc/services
-echo "kerberos-adm 749/udp # Kerberos 5 admin/changepw"
->>/etc/services
-echo "krb5_prop 754/tcp # Kerberos slave propagation"
->>/etc/services
-echo "eklogin 2105/tcp # Kerberos auth. & encrypted rlogin"
->>/etc/services
-echo "krb524 4444/tcp # Kerberos 5 to 4 ticket translator"
->>/etc/services
-
-add Kerberos servers to inetd.conf with these commands. This only allows
-authentification through kerberos if you want to allow nono kerberos access to
-telnet (why?) ftp sh etc. have a look at the man pages (make sure you find and
-remove ftp, telnet, shell, login, and exec from you're config)
-
-echo "klogin stream tcp nowait root /usr/sbin/klogind klogind -k -c" >>
-/etc/inetd.conf
-echo "eklogin stream tcp nowait root /usr/sbin/klogind klogind -k -c -e" >>
-/etc/inetd.conf
-echo "kshell stream tcp nowait root /usr/sbin/kshd kshd -k -c -A" >>
-/etc/inetd.conf
-echo "ftp stream tcp nowait root /usr/sbin/ftpd ftpd -a" >>
-/etc/inetd.conf
-echo "telnet stream tcp nowait root /usr/sbin/telnetd telnetd -a valid" >>
-/etc/inetd.conf
-
-
-Creating the database:
-the creation of the password database is more complex than I would like to cover
-in this hint, MIT has a great howto on the entire prosses at
-http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.2/doc/install.html#SEC42
-
-
-Setting Up Clients
-==================
-cat > /etc/krb5.conf << "EOF"
-[libdefaults]
- ticket_lifetime = 600
- default_realm = NOVASTAR.WOX.ORG
- default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
- default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
-
-[realms]
- NOVASTAR.WOX.ORG = {
- kdc = SockPuppet.novastar.wox.org:88
- admin_server = SockPuppet.novastar.wox.org:749
- default_domain = novastar.wox.org
- }
-
-[domain_realm]
- .novastar.wox.org = NOVASTAR.WOX.ORG
- novastar.wox.org = NOVASTAR.WOX.ORG
-EOF
-
-add Kerberos to /etc/services with these command:
-
-echo "kerberos 88/udp kdc # Kerberos V5 KDC" >>/etc/services
-echo "kerberos 88/tcp kdc # Kerberos V5 KDC" >>/etc/services
-echo "klogin 543/tcp # Kerberos authenticated rlogin"
->>/etc/services
-echo "kshell 544/tcp cmd # and remote shell" >>/etc/services
-echo "kerberos-adm 749/tcp # Kerberos 5 admin/changepw"
->>/etc/services
-echo "kerberos-adm 749/udp # Kerberos 5 admin/changepw"
->>/etc/services
-echo "krb5_prop 754/tcp # Kerberos slave propagation"
->>/etc/services
-echo "eklogin 2105/tcp # Kerberos auth. & encrypted rlogin"
->>/etc/services
-echo "krb524 4444/tcp # Kerberos 5 to 4 ticket translator"
->>/etc/services
-
-Adding Support
-==============
-in this section I assume you have openssl installed, if not, go for it. Samba is
-the only daemon that I have come accross in my search that has kerberos V
-suport, if you know of any others, let me know.
-
-Samba:
-/configure --with-krb5=/usr --with-ssl &&
-make &&
-make install
-
-SSH: Unfortanatly OpenSSH (as of now) does not support Kerberos V. NOTE: SSH's
-support of Kerberos V is EXPERIMENTAL. I take no responsibility if it goes ape
-and eats you're dog. you have been warned.
-/configure --with-kerberos5=/usr --prefix=/usr &&
-make &&
-make install
-
-
-Creating Bootscripts
-====================
-this is the final step in our great adventure together. Creating the boot
-scripts for all of the daemons.
-
-cat > /etc/init.d/kdc << "EOF"
-#!/bin/sh
-# Begin /etc/init.d/kdc
-
-#
-# Include the functions declared in the /etc/init.d/functions file
-#
-
-source /etc/init.d/functions
-
-case "$1" in
- start)
- echo -n "Starting Kerberos KDC ..."
- loadproc krb5kdc
- ;;
-
- stop)
- echo -n "Stopping Kerberos KDC ..."
- killproc krb5kdc
- ;;
-
- restart)
- $0 stop
- /usr/bin/sleep 1
- $0 start
- ;;
-
- status)
- statusproc krb5kdc
- ;;
-
- *)
- echo "Usage: $0 {start|stop|restart|status}"
- exit 1
- ;;
-
-esac
-
-# End /etc/init.d/kdc
-EOF
-
-cat > /etc/init.d/samba << "EOF"
-#!/bin/sh
-# Begin /etc/init.d/samba
-
-#
-# Include the functions declared in the /etc/init.d/functions file
-#
-
-source /etc/init.d/functions
-
-case "$1" in
- start)
- echo -n "Starting Samba ..."
- loadproc /usr/local/samba/bin/smbd
- ;;
-
- stop)
- echo -n "Stopping Samba ..."
- killproc smbd
- ;;
-
- restart)
- $0 stop
- /usr/bin/sleep 1
- $0 start
- ;;
-
- status)
- statusproc smbd
- ;;
-
- *)
- echo "Usage: $0 {start|stop|restart|status}"
- exit 1
- ;;
-
-esac
-
-# End /etc/init.d/samba
-EOF
-
-cat > /etc/init.d/sshd << "EOF"
-#!/bin/sh
-# Begin /etc/init.d/ssh
-
-#
-# Include the functions declared in the /etc/init.d/functions file
-#
-
-source /etc/init.d/functions
-
-case "$1" in
- start)
- echo -n "Starting SSH ..."
- loadproc sshd
- ;;
-
- stop)
- echo -n "Stopping SSH ..."
- killproc sshd
- ;;
-
- restart)
- $0 stop
- /usr/bin/sleep 1
- $0 start
- ;;
-
- status)
- statusproc sshd
- ;;
-
- *)
- echo "Usage: $0 {start|stop|restart|status}"
- exit 1
- ;;
-
-esac
-
-# End /etc/init.d/ssh
-EOF
-
-chmod 754 /etc/init.d/kdc &&
-chmod 754 /etc/init.d/samba &&
-chmod 754 /etc/init.d/ssh &&
-ln -sf ../init.d/kdc /etc/rc0.d/K400kdc &&
-ln -sf ../init.d/kdc /etc/rc1.d/K400kdc &&
-ln -sf ../init.d/kdc /etc/rc2.d/K400kdc &&
-ln -sf ../init.d/kdc /etc/rc3.d/S600kdc &&
-ln -sf ../init.d/kdc /etc/rc4.d/S600kdc &&
-ln -sf ../init.d/kdc /etc/rc5.d/S600kdc &&
-ln -sf ../init.d/kdc /etc/rc6.d/K400kdc &&
-ln -sf ../init.d/samba /etc/rc0.d/K401samba &&
-ln -sf ../init.d/samba /etc/rc1.d/K401samba &&
-ln -sf ../init.d/samba /etc/rc2.d/K401samba &&
-ln -sf ../init.d/samba /etc/rc3.d/S601samba &&
-ln -sf ../init.d/samba /etc/rc4.d/S601samba &&
-ln -sf ../init.d/samba /etc/rc5.d/S601samba &&
-ln -sf ../init.d/samba /etc/rc6.d/K400samba &&
-ln -sf ../init.d/ssh /etc/rc0.d/K402ssh &&
-ln -sf ../init.d/ssh /etc/rc1.d/K402ssh &&
-ln -sf ../init.d/ssh /etc/rc2.d/K402ssh &&
-ln -sf ../init.d/ssh /etc/rc3.d/S602ssh &&
-ln -sf ../init.d/ssh /etc/rc4.d/S602ssh &&
-ln -sf ../init.d/ssh /etc/rc5.d/S602ssh &&
-ln -sf ../init.d/ssh /etc/rc6.d/K402ssh
-
-
-Further Reading
-===========
-
-Apache hint: http://hints.linuxfromscratch.org/hints/apache+php4+sql.hint.txt
-Samba hint: http://hints.linuxfromscratch.org/hints/samba.txt
-MIT's Docs on Kerberos:
-http://web.mit.edu/kerberos/www/krb5-1.2/index.html#documentation
-
-
Deleted: trunk/PREVIOUS_FORMAT/lzw_graphics.txt
===================================================================
--- trunk/PREVIOUS_FORMAT/lzw_graphics.txt 2005-08-06 18:12:57 UTC (rev 978)
+++ trunk/PREVIOUS_FORMAT/lzw_graphics.txt 2005-08-08 02:55:30 UTC (rev 979)
@@ -1,158 +0,0 @@
-Title: LZW Compression for Graphics Libraries in BLFS
-BLFS VERSION: 1.0
-Author: Michael A. Peters <mpeters at mac.com>
-
-SYNOPSIS:
- Adding LZW compression to graphics applications that can utilize it
-
-HINT:
-ver 1.0
-08/05/2003
-
-Contents
---------
-
- 0. Preface
- 1. Why care about LZW
- 2. Legal Issues
- 3. Giflib as replacement for libungif
- 3a. Makefile Issues
- 4. libtiff
- 5. gd library
-
-0. Preface
-----------
- In the early 1980's a compression algorithm known as LZW emerged that
- was very good at lossless compression of data. This algorithm was used
- in a variety of software products, such as the UNIX compress command.
-
- LZW was chosen as the compression algorithm for the CompuServe GIF image
- format, as well as the TIFF image format. A free library emerged called
- Giflib that allowed freeware and shareware authors to write programs for
- the GIF image format, and as a result, the GIF image format became very
- popular.
-
- A company called Unisys existed that owned a patent on this algorithm,
- but they did not complain until the GIF image format was already in very
- wide use. At that point in time, they decided they wanted to charge a
- very expensive licensing fee to use the LZW compression algorithm.
-
- Since free software is free, this became a problem for the free software
- industry. The result was that LZW was ripped out of several products.
-
- This document tells you how to put it back in since many countries do
- not recognize the Unisys software patent, and the patent is very close
- to expiring in the U.S. if it has not expired already.
-
-1. Why Care About LZW
----------------------
- The PNG image format has largely replaced the GIF image in the free
- software world. However, the evil was not with LZW - but rather, with
- the software patent that restricted its use without licensing.
-
- Since the compression algorithm itself is a very good one, there is no
- reason not to use it where we can. Also, while PNG can be used as a
- replacement for GIF, there is not really a suitable replacement for the
- TIFF image format. Patching LZW support back into libtiff will allow the
- creation of compressed TIFF images, and the compression makes a big
- difference in the final file size.
-
-2. Legal Issues
----------------
- In some countries it may not be legal to use the LZW algorithm without
- paying a license fee. To the best of my knowledge the patent expires in
- June 2003 in the United States. However, I believe the patent does not
- expire in Japan until June 2004. You are advised to follow your local
- law with respect to using the LZW compression algorithm and any license
- fees that you are required to pay to do so. You are also advised to
- look up the patent expiration date yourself, rather than rely on the
- information I provide. I am not a patent lawyer.
-
-3. Giflib as replacement for libungif
--------------------------------------
- libungif was written as a replacement for Giflib. libungif does not use
- LZW but instead produces uncompressed GIF images. If you would rather
- produce compressed GIF images, then build Giflib instead of libungif.
-
- Giflib 4.1.0 can be downloaded from:
- http://ftp.rge.com/pub/multimedia/libungif/giflib-4.1.0.tar.gz
-
- Follow the same build instructions for libungif in the BLFS book.
-
-3a. Makefile Issues
--------------------
- Most configure scripts will find libgif in your library path and use
- that if you don't have libungif install. This is not universally true.
- Some packages, such as emacs, will specifically look for libungif.
-
- There are two ways to solve this issue. The first to make the following
- symlinks in your /usr/lib directory:
- ln -s libgif.a libungif.a
- ln -s libgif.la libungif.la
- ln -s libgif.so libungif.so
- ln -s libgif.so.4 libungif.so.4
- ln -s libgif.so.4.1.0 libungif.so.4.1.0
-
- The second method, which is a little cleaner IMHO, is to modify the
- configure scripts and Makefiles of the source to the software before
- building it. For example, with emacs, there are two files that need
- to be edited: configure and src/Makefile.in
-
- In both files you just need to change every reference of lungif to lgif:
-
- cp configure configure.orig &&
- sed -e s?"ungif"?"gif"? < configure.orig > configure &&
- cd src &&
- cp Makefile.in Makefile.in.orig &&
- sed -e s?"ungif"?"gif"? < Makefile.in.orig > Makefile.in &&
- cd ..
-
- Then you can proceed to build as normal and emacs will use libgif.
-
-4. libtiff
-----------
- To put LZW compression back into libtiff, all you need to do is apply
- the LZW Compression Kit to the source before building it.
- You can download the kit from:
- ftp://ftp.remotesensing.org/libtiff/libtiff-lzw-compression-kit-1.3.tar.gz
-
- The official instructions in the kit say:
- "Just copy tif_lzw.c over the copy in libtiff and rebuild libtiff."
-
- In other words, unpack the libtiff source as you would while following
- the BLFS instructions. Before you do anything else, also unpack the
- libtiff-lzw-compression-kit and replace the tif_lzw.c file in the
- libtiff source directory with the one in the compression kit.
-
- Then continue to build libtiff as described in the BLFS book.
-
-5. gd library
--------------
- Most applications that offer gif support will use libgif or libungif.
- However, some applications will look for gif support in the gd library
- and use gd for gif support if it finds it.
-
- The author of the gd library no longer includes any gif support in his
- library. However, we can patch gif support (with LZW compression) back
- into gif so that software that wants to use gd for gif support can find
- it.
-
- The gd library can be downloaded from:
- http://www.boutell.com/gd/http/gd-2.0.12.tar.gz
-
- The patch to the gd library can be downloaded from:
- http://downloads.rhyme.com.au/gd/patch_gd2.0.12_gif_20030401.gz
-
- to build:
- patch -p1 < ../patch_gd2.0.12_gif_20030401 &&
- ./configure --prefix=/usr &&
- make &&
- make install &&
- /sbin/ldconfig
-
- It is best to build gd after building zlib, libpng, freetype2, libjpeg,
- and XFree86 - as gd will use those libraries if configure finds them.
-
-
-
-
Deleted: trunk/PREVIOUS_FORMAT/nfs.txt
===================================================================
--- trunk/PREVIOUS_FORMAT/nfs.txt 2005-08-06 18:12:57 UTC (rev 978)
+++ trunk/PREVIOUS_FORMAT/nfs.txt 2005-08-08 02:55:30 UTC (rev 979)
@@ -1,204 +0,0 @@
-TITLE: Running an NFS Server on LFS
-LFS VERSION: any
-AUTHOR: Ian Chilton <ian at ichilton.co.uk>
-
-SYNOPSIS:
- A while ago, I wrote an LFS-Hint on setting up an NFS server on an LFS system. There is now a much better way to do it, using the NFS code in the later kernels.
-
-HINT:
-KERNEL VERSION: 2.2.18+ or 2.4.0+
-
-NOTE:
-This is not a complete guide to using NFS...it is only ment as a quick
-introduction to compiling the packages.
-
-** There are some important security issues when using NFS **
-Please read: http://nfs.sourceforge.net/nfs-howto for more info before
-you start using NFS.
-
-The author holds no responsibility for any loss or damage etc etc..
-
-
-First, we need TCP Wrappers:
-
-Download the following:
-http://files.ichilton.co.uk/nfs/tcp_wrappers_7.6.diff.gz
-http://files.ichilton.co.uk/nfs/tcp_wrappers_7.6.tar.gz
-
-Then do:
-tar xzvf tcp_wrappers_7.6.tar.gz
-cd tcp_wrappers_7.6
-zcat ../tcp_wrappers_7.6.diff.gz | patch -p1
-make REAL_DAEMON_DIR=/usr/sbin linux
-cp libwrap.a /usr/lib
-cp tcpd.h /usr/include
-cp safe_finger /usr/sbin
-cp tcpd /usr/sbin
-cp tcpdchk /usr/sbin
-cp tcpdmatch /usr/sbin
-cp try-from /usr/sbin
-
-
-Next we need the Portmapper:
-
-Download the following:
-http://files.ichilton.co.uk/nfs/portmap_5-1.diff.gz
-http://files.ichilton.co.uk/nfs/portmap_5.orig.tar.gz
-
-tar xzvf portmap_5.orig.tar.gz
-cd portmap_5beta
-zcat ../portmap_5-1.diff.gz | patch -p1
-make
-make install
-
-
-Now we do NFS Utils:
-
-Download:
-http://download.sourceforge.net/nfs/nfs-utils-0.2.1.tar.gz
-
-tar zxvf nfs-utils-0.2.1.tar.gz
-cd nfs-utils-0.2.1
-./configure --prefix=/usr
-make
-make install
-
-
-That's all the software we need. You should do the above on all clients
-and the server. You should also update to the latest util-linux package
-on the clients. This is available from:
-ftp://ftp.win.tue.nl/pub/linux/utils/util-linux/
-
-
-Now, we need to recompile the kernel.
-
-In the Filesystems -> Network Filesystems section on the kernel config,
-you should have the following:
-
-* NFS filesystem support
- - NFS Version 3 filesystem support
-
-* NFS server support
- - NFS Version 3 server support
- - NFS server TCP support
-
-
-For the server, you should enable these:
-
-* NFS filesystem support
- - NFS Version 3 filesystem support
-
-
-For the clients, you should enable these:
-* NFS server support
- - NFS Version 3 server support
-
-
-Recompile and boot the new kernel.
-
-
-Then, we need an /etc/exports file.
-
-An example 'share' is:
-
-/home/ian 192.168.0.1(rw)
-
-
-The format is obvious: /home/ian is the directory to share,
-192.168.0.1 is the client to share to, and rw is read-write mode.
-
-
-Then, on the server, start NFS...this is my startup script:
-
-#!/bin/sh
-# Begin /etc/init.d/nfs
-
-source /etc/init.d/functions
-
-case "$1" in
- start)
- echo -n "Starting RPC Portmapper"
- loadproc /sbin/portmap
- echo -n "Starting NFS"
- loadproc /usr/sbin/rpc.mountd
- loadproc /usr/sbin/rpc.nfsd 8
- loadproc /usr/sbin/rpc.statd
- ;;
-
- stop)
- echo -n "Stopping NFS"
- killproc /usr/sbin/rpc.nfsd
- killproc /usr/sbin/rpc.mountd
-
- echo -n "Stopping Portmapper"
- killproc /sbin/portmap
- ;;
-
- reload)
- echo "Reloading NFS"
- /usr/sbin/exportfs -ra
- ;;
-
- restart)
- $0 stop
- /usr/bin/sleep 1
- $0 start
- ;;
-
- *)
- echo "Usage: $0 {start|stop|reload|restart}"
- exit 1
- ;;
-
-esac
-
-# End /etc/init.d/nfs
-
-
-
-On the workstations, you just need this:
-
-#!/bin/sh
-# Begin /etc/init.d/nfsclient
-
-source /etc/init.d/functions
-
-case "$1" in
- start)
- echo -n "Starting RPC Portmapper"
- loadproc /sbin/portmap
- echo -n "Starting statd for NFS"
- loadproc /usr/sbin/rpc.statd
- ;;
-
- stop)
- echo -n "Stopping Portmapper"
- killproc /sbin/portmap
- ;;
-
-
- restart)
- $0 stop
- /usr/bin/sleep 1
- $0 start
- ;;
-
- *)
- echo "Usage: $0 {start|stop}"
- exit 1
- ;;
-
-esac
-
-# End /etc/init.d/nfsclient
-
-
-Now all that remains is to mount the remote directory on the client:
-
-mount server:/home/ian /mntdir
-(or, I use mount -o rsize=8192,wsize=8192,hard,intr server:/home/ian
-/mntdir)
-
-See the new version of the NFS-HOWTO
-(http://nfs.sourceforge.net/nfs-howto) for more information.
-
Deleted: trunk/PREVIOUS_FORMAT/pam+shadow+cracklib.txt
===================================================================
--- trunk/PREVIOUS_FORMAT/pam+shadow+cracklib.txt 2005-08-06 18:12:57 UTC (rev 978)
+++ trunk/PREVIOUS_FORMAT/pam+shadow+cracklib.txt 2005-08-08 02:55:30 UTC (rev 979)
@@ -1,484 +0,0 @@
-TITLE: Linux-PAM + CrackLib + Shadow
-LFS VERSION: 3.2+
-AUTHOR: Ted Riley <reesonline at messages.to>
-
-SYNOPSIS:
- How to configure cracklib, Linux-PAM and the Shadow suite
-
-HINT:
-
-CONTENTS
-========
- 1. Introduction
- 2. Changelog
- 3. Resources
- 4. CrackLib
- 5. Linux-PAM
- 6. Shadow
- 7. PAM Configuration
- 8. Trouble
- 9. Other Programs
- 10. Closing
-
-
-INTRODUCTION
-============
-We're going to install cracklib, Linux-PAM and the shadow package, in
-that order. (Shadow requires the PAM libraries, which require the
-cracklib libraries.) This hint can be used if you already have an LFS
-installation in place or if you are installing LFS for the first time.
-Once the binaries are in place, we will create and/or modify the
-necessary configuration files to get everything up and running smoothly.
-Please note: Do not log out until all the configuration files have been
-created, since you will not be able to log back in. In fact, the safest
-thing to do is test your configurations in a separate virtual terminal
-before ending your session.
-
-
-CHANGELOG
-=========
-Current Version
-1.2 - 2002.06.10
- Modified hint to work "in-line" with LFS installation
- Replaced shadow patch with make flags
- Replaced cracklib 'sed' command with make flags
-
-1.1 - 2002.05.31
- Corrected directories in shadow patch
- Added troubleshooting section
- Added other programs section
- Added /usr/share/dict/words symbolic link and explained
-
-1.0 - 2002.05.07
- Updated explanation of shadow/PAM incompatibility
- Cosmetic/grammatical changes
-
-0.9 - 2002.04.28
- Original draft
-
-
-RESOURCES
-=========
-You will need the following packages:
-
-cracklib (2.7 as of this hint):
- http://www.users.dircon.co.uk/~crypto/download/cracklib,2.7.tgz
-NOTE: That is not a typo; that is a comma.
-
-a dictionary:
- http://www.cotse.com/wordlists/allwords
-NOTE: This website also has a dictionary called 'cracklib' but it is
-15.6MB compared to 'allwords' which is 467KB. I have had cracklib
-seg fault with the larger dictionary, but not with the smaller. I know
-others (with better systems than mine) who have used the 'cracklib'
-dictionary successfully. Your mileage may vary.
-
-Linux-PAM (0.75 as of this hint):
- http://wwww.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-0.75.tar.gz
-NOTE: There is a cracklib-files.tgz here. DO NOT USE IT. This version
-of cracklib appears to be 2.5.1, which has a known vulnerability
-(see http://www.cert.org/vendor_bulletins/VB-97.16.CrackLib)
-
-Shadow (4.0.3 as of this hint):
- ftp://ftp.pld.org.pl/software/shadow/shadow-4.0.3.tar.gz
-NOTE: There is no note for this one; insert humor attempt here.
-
-
-CRACKLIB
-========
-The following assumes that you downloaded the 'allwords' dictionary.
-If you chose a different one, you will have to change the commands
-below to match.
-
-From the directory where you downloaded the dictionary:
-
-cp allwords /usr/share/dict/ &&
-cd /usr/share/dict &&
-ln -s allwords words
-
-One note about the above commands: Traditionally, the /usr/share/dict
-directory had only one file: words. The FHS standard does not prohibit
-other files from being here as long as they are wordlists as well. I
-like to remember what dictionary I used, which is why I do not simply
-rename 'allwords' to 'words.' Creating the link to 'words' helps other
-programs which might look in the standard location for a dictionary
-(that is, the '/usr/share/dict/words' file).
-
-Next, in the cracklib directory, we need to create a couple files:
-
-cat >> crack.h << "EOF"
-#ifndef CRACKLIB_H
-#define CRACKLIB_H
-/* Pass this function a password (pw) and a path to the
- * dictionaries (/usr/lib/cracklib_dict should be specified)
- * and it will either return a NULL string, meaning that the
- * password is good, or a pointer to a string that explains the
- * problem with the password.
- * You must link with -lcrack
- */
-extern char *FascistCheck(char *pw, char *dictpath);
-#endif
-EOF
-
-cat >> util/create_cracklib_dict << "EOF"
-#!/bin/sh
-if [ -z "$*" ]; then
- echo "Usage:"
- echo " $0 wordlist ..."
- echo
- echo "This script takes one or more word list files as arguments"
- echo "and converts them into cracklib dictionaries for use"
- echo "by password checking programs. The results are placed in"
- echo "/usr/lib/cracklib_dict.*"
- echo
- echo "Example:"
- echo "$0 /usr/share/dict/words"
-else
- /usr/sbin/mkdict $* | /usr/sbin/packer /usr/lib/cracklib_dict
-fi
-EOF
-
-And finally we compile cracklib from the source directory:
-
-make DICTPATH=/usr/lib/cracklib_dict SRCDICTS=/usr/share/dict/words install &&
-cp cracklib/libcrack.a /usr/lib &&
-cp crack.h /usr/include &&
-cp util/{mkdict,packer,create_cracklib_dict} /usr/sbin
-
-Command Explanations:
-
-cat >> crack.h ... : These commands create a header file for programs
- to use when compiling with the crack library.
-cat >> util/create_cracklib_dict ... : These commands create a script
- which takes a wordlist as an argument and creates a new cracklib
- dictionary.
-make ... install : Makes the cracklib libraries with the correct
- dictionary locations
-cp cracklib.a /usr/lib : The make install command does not install the
- static cracklib library, so we do it here.
-cp crack.h /usr/include : This command copies the header file we created.
-cp util/mkdict util/packer util/create_cracklib_dict : This command
- copies the scripts and binaries needed to create new cracklib
- dictionaries.
-
-Please note: The crack.h and create_cracklib_dict scripts were based
-on those found in the cracklib.tgz archive. Credit goes to the authors
-of the originals, although they were unlisted (unless the author was
-Alec Muffett, who wrote the cracklib library, in which case credit goes
-to him).
-
-
-LINUX-PAM
-=========
-Now we will compile PAM:
-
-./configure --enable-static-libpam --with-mailspool=/var/mail \
- --enable-suplementedir=/usr/lib &&
-make &&
-make install &&
-cd /lib &&
-for name in libpam libpamc libpam_misc; do
- ln -s ${name}.so.0.75 ${name}.so.0
- done
-
-Command Explanations:
-
-./configure --enable-static-libpam : This builds static PAM libraries as
- well as the dynamic libraries
---with-mailspool=/var/mail : This flag makes the mailspool directory
- FHS-compliant
---with-suplementedir=/usr/lib : This flag installs the unix_chkpwd
- binary in an FHS-compliant location
-for name in libpam libpamc libpam_misc; do : The installer creates
- broken symlinks. These commands correct the library links.
-
-If you don't have sgml tools on your computer, you will receive an error
-message after the install. To install the docs manually, run the
-following commands from the Linux-PAM source directory:
-
-cd doc
-tar zxf Linux-PAM-0.75-docs.tar.gz
-cp -a html /usr/share/doc/Linux-PAM/
-cd /usr/share/doc
-chown -R root:root Linux-PAM
-touch Linux-PAM
-cd Linux-PAM
-touch *
-
-(The final three commands aren't necessary unless you use a time-stamp
-sensitive install manager like install-log.)
-
-
-SHADOW
-======
-There is an incompatibility between the current versions of Shadow and
-the latest versions of Linux-PAM. For the record, the maintainer of the
-shadow package believes the incompatibility lies in the PAM libraries,
-not in shadow. Therefore, he advises using a different version of PAM.
-(available from ftp://ftp.pld.org.pl/software/pam/). However, I prefer
-to use the latest versions of both packages; the compiler flags below
-will accomplish this.
-
-LDFLAGS="-lpam -lpam_misc" ./configure --prefix=/usr --enable-shared \
- --with-libpam --without-libcrack &&
-make &&
-make install &&
-cd /usr/sbin &&
-ln -sf vipw vigr &&
-rm /bin/vipw &&
-mv /bin/sg /usr/bin &&
-mv /lib/{libmisc.*a,libshadow.*a} /usr/lib &&
-cd /usr/lib &&
-ln -sf ../../lib/libshadow.so
-sed 's%/var/spool/mail%/var/mail%' etc/login.defs.linux > /etc/login.defs
-cp debian/securetty /etc/securetty
-
-Command Explanations:
-LDFLAGS="..." ./configure : The compiler flags allow the shadow package
- to link correctly against the PAM libraries; they must be
- entered on the same line as the configure command.
---enable-shared : Shadow no longer creates shared libraries by default,
- so this flag is used.
---with-libpam : This flag compiles with PAM support.
---without-libcrack : Cracklib will be called through PAM, so we do not
- need it here.
-ln -sf vipw vigr ... ln -s ../../lib/libshadow.so : These commands fix
- broken links and un-installed libraries. They are also useful for
- refreshing the time-stamps on the files if you use a time-stamp
- sensitive installer (like install-log).
-sed ... login.defs : This will create the /etc/login.defs file (if you
- don't already have one) and will make the mail directory
- FHS-compliant.
-cp debian/securetty /etc/securetty : This will create the securetty file
- which prevents root logons from all but listed terminals.
-
-Please note: We no longer need the 'limits' and 'login.access' files in
-/etc since PAM will handle these functions. You may safely delete these
-files if you had previously created them.
-
-
-PAM CONFIGURATION
-=================
-We are almost done. Now we will customize our setup. Please note that
-the PAM configuration files below are necessary for PAM to function.
-Without these files, you will not be able to log in.
-
-You can comment out the following entries in login.defs since PAM is now
-handling them. In the right column are the PAM modules which replace
-the entries:
-
-DIALUPS_CHECK_ENAB (not sure - anyone know?)
-LASTLOG_ENAB (pam_lastlog.so)
-MAIL_CHECK_ENAB (pam_mail.so)
-OBSCURE_CHECKS_ENAB (pam_cracklib.so)
-PORTTIME_CHECKS_ENAB (pam_time.so)
-CONSOLE (pam_securetty.so)
-MOTD_FILE (pam_motd.so)
-NOLOGINS_FILE (pam_nologin.so)
-PASS_MIN_LEN (pam_cracklib.so)
-SU_WHEEL_ONLY (pam_wheel.so)
-CRACKLIB_DICTPATH (pam_cracklib.so)
-PASS_CHANGE_TRIES (pam_cracklib.so)
-PASS_ALWAYS_WARN (pam_cracklib.so)
-MD5_CRYPT_ENAB (pam_unix.so with md5 flag)
-CONSOLE_GROUPS (pam_groups.so)
-ENVIRON_FILE (pam_env.so)
-
-Several people have noticed a small problem with pam_issue.so.
-Specifically, if you enter the correct password the first time, the login
-fails, even if pam_issue is set to optional. However, if the wrong password
-is entered at least once, the correct password will work for any further
-attempts. I think this is because the first issue file is displayed by agetty,
-not login. All the other issue messages are displayed by login. So, if you
-succeed the first time, pam_issue is not called. I'm not sure how to get
-around this problem (since even the optional setting doesn't work), so I
-have left the issue command in /etc/login.defs and taken it out of PAM. If
-anyone knows how to fix this, please let me know.
-
-If you want to use the access or limits modules (among others), you can edit
-the configuration files in /etc/security/. Currently, my files are still
-fully commented out (the default), so I'm not much help for suggestions
-on those. If anyone is using these files, I would love to hear from
-them, though.
-
-Below are my pam.d files. I prefer separate files under pam.d as
-opposed to one file (/etc/pam.conf), but use whichever you prefer.
-In fact, if you want to, you can use both by specifying the
---enable-both-confs flag when compiling Linux-PAM.
-
-/etc/pam.d/login:
-# Begin /etc/pam.d/login
-auth requisite pam_securetty.so
-auth requisite pam_nologin.so
-auth required pam_env.so
-auth required pam_unix.so
-account required pam_access.so
-account required pam_unix.so
-session required pam_motd.so
-session required pam_limits.so
-session optional pam_mail.so dir=/var/mail standard
-session optional pam_lastlog.so
-session required pam_unix.so
-# End /etc/pam.d/login
-
-/etc/pam.d/other:
-# Begin /etc/pam.d/other
-auth required pam_deny.so
-auth required pam_warn.so
-account required pam_deny.so
-session required pam_deny.so
-password required pam_deny.so
-password required pam_warn.so
-# End /etc/pam.d/other
-
-/etc/pam.d/passwd:
-# Begin /etc/pam.d/passwd
-password required pam_cracklib.so \
- retry=3 difok=8 minlen=15 dcredit=3 ocredit=3 ucredit=2 lcredit=2
-password required pam_unix.so md5 shadow use_authtok
-# End /etc/pam.d/passwd
-
-/etc/pam.d/shadow:
-# Begin /etc/pam.d/shadow
-auth sufficient pam_rootok.so
-auth required pam_unix.so
-account required pam_unix.so
-session required pam_unix.so
-password required pam_permit.so
-# End /etc/pam.d/shadow
-
-/etc/pam.d/su:
-# Begin /etc/pam.d/su
-auth sufficient pam_rootok.so
-auth required pam_unix.so
-account required pam_unix.so
-session required pam_unix.so
-# End /etc/pam.d/su
-
-/etc/pam.d/useradd:
-# Begin /etc/pam.d/useradd
-auth sufficient pam_rootok.so
-auth required pam_unix.so
-account required pam_unix.so
-session required pam_unix.so
-password required pam_permit.so
-# End /etc/pam.d/useradd
-
-One final note: The shadow file (and useradd, for that matter) require
-a password field, or else they will return a 'PAM chauthtok failed'
-error. Also, the shadow file affects many of the other programs in the
-shadow suite (chfn, chage, groupdel, userdel, etc.). These programs
-interface with PAM as 'shadow' instead of their own program name.
-
-
-TROUBLE
-=======
-Here are a couple problems that crept up while I was installing the above
-programs myself. Just in case you run in these problems yourself, here
-are some tips to help you resolve them. Of course, you will not need
-these because everything will work great the first time. ;-)
-
-Cracklib Seg Fault:
-With a large dictionary file, cracklib gave a segmentation fault the
-second time I tried to change a password. (The first time worked.)
-To fix this, I ran the script create_cracklib_dict, as listed below (I
-was using the 'cracklib' dictionary at the time):
-
-create_cracklib_dict /usr/share/dict/cracklib
-
-This command rebuilt the cracklib dictionary files and cracklib worked
-fine the next time I changed a password. Then it crashed again the
-following time. However, when I ran the above command with the
-'allwords' dictionary listed above, cracklib worked and has worked since.
-
-As noted above, this error may be a result of my computer's limited RAM
-and swap space. Other people have stated that the cracklib dictionary
-has worked fine for them.
-
-Incorrect Root Password:
-Later, due to a misconfiguration, I found myself unable to log in as root.
-To fix this, I used a boot disk (the Slackware boot disk, to be exact)
-which allowed me to log in as root without a password. Once I was
-logged in, I mounted my LFS system. Then, I renamed the pam.d directory
-and created a new pam.d directory with only the 'other' file. This
-temporary file is listed below:
-
-# Begin temporary /etc/pam.d/other
-auth required pam_unix.so nullok
-account required pam_unix.so
-session required pam_unix.so
-password required pam.unix.so nullok
-# End temporary /etc/pam.d/other
-
-I also edited my /etc/passwd file (after making a backup, of course) and
-removed the password field for root. After rebooting, I was able to log
-in as root without a password. Then, I copied my original pam.d directory
-back in place and changed the root password, testing the configuration
-in another virtual terminal.
-
-
-OTHER PROGRAMS
-==============
-
-The main reason to install PAM (at least for me) was so that different
-programs could use it. Below are a few programs that utilize PAM, as
-well as instructions how to compile PAM support into them.
-
-SSH:
-OpenSSH (from http://www.openssh.com/) has a compile option for PAM.
-Simply specify the --with-pam flag when you run the configure script.
-The PAM configuration file I use for ssh is almost identical to the one
-used for login, with one exception: the securetty line is removed (so we
-can log in through ssh from anywhere). For simplicity's sake, the file
-is listed below:
-
-/etc/pam.d/sshd:
-# Begin /etc/pam.d/sshd
-auth requisite pam_nologin.so
-auth required pam_env.so
-auth required pam_unix.so
-account required pam_access.so
-account required pam_unix.so
-session required pam_motd.so
-session required pam_limits.so
-session optional pam_mail.so dir=/var/mail standard
-session optional pam_lastlog.so
-session required pam_unix.so
-# End /etc/pam.d/sshd
-
-PPPD:
-Another program that is useful if you use a modem (including DSL) is
-the pppd program (available from http://www.samba.org/ppp/). To enable
-PAM in pppd, simple add the USE_PAM=y flag after the make command.
-My configuration file for ppp is sparce compared to sshd and login,
-simply because I do not use ppp except to dial out. The configuration
-file for pppd is listed below:
-
-/etc/pam.d/ppp:
-# Begin /etc/pam.d/ppp
-auth requisite pam_nologon.so
-auth required pam_unix.so
-account required pam_unix.so
-session required pam_unix.so
-# End /etc/pam.d/ppp
-
-Please note that the file is called ppp, not pppd. This is because the
-ppp daemon uses "ppp" to interface with PAM instead of "pppd."
-
-
-CLOSING
-=======
-Many thanks to Yannick Tousignant for writing the previous pam hint and
-helping me get my foot in the door. And of course, thanks to Gerard
-Beekmans and the rest of the LFS crew.
-
-Also, thanks to the following individuals for their contributions:
-Thien Vu
-Adrian Woffenden
-
-If you need additional help, be sure to check out the Linux-PAM manuals
-at http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/
-Also, help may be available on the Shadow mailing list at
-http://lists.pld.org.pl/archive/index.htm?10
-
-Enjoy.
Deleted: trunk/PREVIOUS_FORMAT/ppp-hint.txt
===================================================================
--- trunk/PREVIOUS_FORMAT/ppp-hint.txt 2005-08-06 18:12:57 UTC (rev 978)
+++ trunk/PREVIOUS_FORMAT/ppp-hint.txt 2005-08-08 02:55:30 UTC (rev 979)
@@ -1,267 +0,0 @@
-TITLE: How to QUICKLY install PPP 2.4.1 over a modem
- (serial line) on LFS
-
-UPDATED: 28-8-02
-
-LFS VERSION: 3.3
-
-AUTHOR: Sebastien Millet <sebastien.millet2 at libertysurf.fr>
-
-SYNOPSIS:
-
-When you manage to install a simple PPP access over a
-modem (a SERIAL modem, connected to a regular RTC
-phone line), in order to get connected to your ISP,
-you need to know where is the latest PPP package
-available and how to install and configure it.
-
-This hint will indicate you how to do this WITHOUT
-downloading huge packages like wvdial, linuxconf
-or other high level configuration tools. You'll
-only need to download the PPP source
-(ppp-2.4.1.tar.gz at the time of this writing).
-
-Also, this hint includes an option to make connection
-be automatic (on demand).
-
-HINT:
-
-
-1. Where to get PPP ?
-
-PPP project Homepage
- http://www.samba.org/ppp
-Alternative freshmeat URL
- http://freshmeat.net/projects/pppd
-
-
-2. Get PPP installed
-
-Once you've downloaded ppp source, extract it from
-the gzipped tarball by running
- tar -zxvf ppp-2.4.1.tar.gz
-
-Then CD to ppp-2.4.1 directory and run the usual triptic
- ./configure
- make
- make install
-
-As usually "make install" must be run as root.
-
-
-3. Configure PPP
-
-It is assumed here that you compiled your kernel with
-support for PPP. To make PPP available in your kernel,
-CD into /usr/src/linux, execute
- make config
-and answer Y (or M when possible, if you manage
-to make PPP be available as a module) to the questions
-
- Networking support
-...
- TCP/IP networking
-...
- PPP (point-to-point protocol) support
-...
- PPP support for async serial ports
- PPP support for sync tty ports
- PPP Deflate compression
- PPP SD_Compress compression
-
-Also you have to enable the "dummy network driver", so to
-have PPP manage an "empty" network device when the PPP
-link is down.
-
-Starting from this point, it is assumed that you're root.
-
-Execute the following to create the file ppp-on-dialer:
-
-cat > /etc/ppp/ppp-on-dialer << "EOF"
-#!/bin/sh
-
-/usr/sbin/chat -v \
- TIMEOUT 3 \
- ABORT '\nBUSY\r' \
- ABORT '\nNO ANSWER\r' \
- ABORT '\nRINGING\r\n\r\nRINGING\r' \
- '' \rATM0 \
- 'OK-+++\c-OK' ATH0 \
- TIMEOUT 30 \
- OK ATDT$TELEPHONE \
- CONNECT '' \
- ogin:--ogin: $ACCOUNT \
- assword: $PASSWORD
-EOF
-chmod a+x /etc/ppp/ppp-on-dialer
-
-Note that \rATM0 is used to turn modem speaker off.
-If you want your modem speaker on or if ATM0 command
-fails on your modem, simply write \rAT (original
-string, given by the PPP-HOWTO) instead of \rATM0.
-
-Now create ppp-on script:
-
-cat > /etc/ppp/ppp-on << "EOF"
-#!/bin/sh
-
-# Beginning of /etc/ppp/ppp-on
-
-TELEPHONE=my-phone-number
-ACCOUNT=-my-account-name
-PASSWORD=my-password
-LOCAL_IP=0.0.0.0
-REMOTE_IP=0.0.0.0
-
-export TELEPHONE ACCOUNT PASSWORD
-
-DIALER_SCRIPT=/etc/ppp/ppp-on-dialer
-
-exec /usr/sbin/pppd /dev/ttyS0 115200 $LOCAL_IP:$REMOTE_IP \
- connect $DIALER_SCRIPT disconnect "chat -v -- \d+++\d\c OK ATH0 OK"
-
-# End of /etc/ppp/ppp-on
-EOF
-chmod a+x /etc/ppp/ppp-on
-
-You have to replace my-phone-number, my-account-name and
-my-password with your values. Also, in the "exec ..."
-line, replace /dev/ttyS0 with the correct serial port
-on which your modem is installed. Consider that
- /dev/ttyS0 corresponds to COM1:
- /dev/ttyS1 corresponds to COM2:
- ...
-
-Now ADD an option to the options file, by executing:
-
-cat >> /etc/ppp/options << "EOF"
-debug
-defaultroute
-EOF
-
-If you want you can also specify the option
- idle <n>
-in /etc/ppp/options, where <n> is the hang-up timeout in seconds
-(for example idle 60 to get a one minute idle timeout).
-
-Now create the file ppp-off:
-
-cat > /etc/ppp/ppp-off << "EOF"
-#!/bin/sh
-
-# Beginning of /etc/ppp/ppp-off
-
-if [ "$1" = "" ]; then
- DEVICE=ppp0
-else
- DEVICE=$1
-fi
-
-if [ -r /var/run/$DEVICE.pid ]; then
- kill -INT `cat /var/run/$DEVICE.pid`
-
- if [ ! "$?" = "0" ]; then
- rm -f /var/run/$DEVICE.pid
- echo "ERROR: Removed staled pid file"
- exit 1
- fi
-
- echo "PPP link to $DEVICE terminated."
- exit 0
-fi
-
-echo "ERROR: PPP link is not active on $DEVICE"
-exit 1
-
-# End of /etc/ppp/ppp-off
-EOF
-chmod a+x /etc/ppp/ppp-off
-
-Now you can connect to your ISP by running
- /etc/ppp/ppp-on
-and disconnect by running
- /etc/ppp/ppp-off
-
-To analyze what's going on in case of failure,
-switch to a terminal that you'll dedicate
-to display system messages (or open a xterm if
-you're working under X), execute
- tail -f /var/log/sys.log
-and you'll see chat and pppd logs on the fly.
-When you're OK you can remove the debug option
-from pppd options file (/etc/ppp/options). You can
-also consider removing -v option of chat invocation
-(in the /etc/ppp/ppp-on-dialer file), though this
-logging is useful and often left.
-
-
-4. Configure name resolution
-
-Configure name resolution by executing the following:
-
-cat > /etc/host.conf << "EOF"
-# /etc/host.conf
-
-order hosts,bind
-multi on
-EOF
-
-cat > /etc/resolv.conf << "EOF"
-# /etc/resolv.conf
-
-domain my-isp-domain-name
-nameserver first-dns-ip-address
-nameserver second-dns-ip-address
-EOF
-
-In the file /etc/resolv.conf, replace my-isp-domain-name,
-first-dns-ip-address and second-dns-ip-address
-with the correct values.
-
-
-5. Configure on-demand connection (optional)
-
-Execute the following:
-
-cat > /etc/sysconfig/network-devices/ifconfig.ppp0 << "EOF"
-ONBOOT=yes
-EOF
-
-cat > /etc/sysconfig/network-devices/ifup-ppp0 << "EOF"
-#!/bin/sh
-
-/etc/ppp/ppp-on
-
-exit 0
-EOF
-
-cat > /etc/sysconfig/network-scripts/ifdown-ppp0 << "EOF"
-#!/bin/sh
-
-/etc/ppp/ppp-off
-ifconfig ppp0 down
-
-exit 0
-EOF
-
-cat >> /etc/ppp/options << "EOF"
-ktune
-demand
-idle 60
-EOF
-
-Note that you may have already supplied the idle option.
-Tune the idle option to a value that fits your wishes.
-
-
-6. How to get detailed informations about PPP
-
-Online HOWTO
- http://www.tldp.org/HOWTO/PPP-HOWTO/index.html
-The same HOWTO as above, but in a single HTML file
- http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/PPP-HOWTO.html
-
-The Linux PPP FAQ
- ftp://sunsite.unc.edu/pub/Linux/docs/faqs/PPP-FAQ/PPP-FAQ
-
-
Deleted: trunk/PREVIOUS_FORMAT/sendmail.txt
===================================================================
--- trunk/PREVIOUS_FORMAT/sendmail.txt 2005-08-06 18:12:57 UTC (rev 978)
+++ trunk/PREVIOUS_FORMAT/sendmail.txt 2005-08-08 02:55:30 UTC (rev 979)
@@ -1,461 +0,0 @@
-GENERAL OUTLINE
-===============
-
-TITLE: Sendmail
-LFS VERSION: 3.1+
-AUTHOR: Sam Halliday <fommil AT yahoo DOT ie>
-
-SYNOPSIS:
- This hint covers the building and configuring of a Sendmail/Procmail
-mail handling system, with Sendmail not running as root. Some mail clients
-are recommended.
-
-ACKNOWLEDGEMENTS:
-Based on the sendmail hint by J. Jones
-
-CHANGELOG:
-0.1 first release with a changelog, added spam support and better 'cf'
- support
-0.1.1 fixed typo in the 'mc' file
-0.1.2 added extra spam support
-0.1.3 fix a file locking security bug
-0.1.4 fix the fix i didnt really fix ;)
-0.1.5 fix permissions, restructure and upgrade to LFS-3.1 initscripts
- (this was almost a total rewrite)
-0.1.6 a few more permission fixes, update sendmail version
-0.1.7 note about opts in procmail, changed parts of the pine install,
- updated procmail version as the latest development is now 'stable',
- fixed 80 character wrapping, and edited some version tags in mc files.
-0.1.8 fixed aliases.db problem, removed default antispam support, but added
- more detail and a test to check that it works. Removed default DECNET
- support, but mentioned how to add it again. Fixed a silly line in the
- permissions section. Made a workaround to the .forward problem. Please
- somebody help me with the real fix!
-0.1.9 fix a permission problem... sheesh! well, I can send mail now, hope
- everyone else can (everything from 0.1.5 to here was done without a
- network available to me, so please forgive all the silly errors)
-0.1.10 add a patch for a security vulnerability in sendmail 8.12.6, and change
- the download location to reflect sendmail's new stance against the
- recent trojan
-0.1.11 fix the formatting problem in the man pages
-0.1.12 fix the firewall command line, added note about signature checking
- removed old maintainer email address as it doesn't exist anyway.
-0.1.13 edit the initscript to process the failed messages in the clientmqueue.
-0.1.14 thanks to Duncan Webb <duncan AT dwebb.ch> for a fix to the submit.mc
-0.1.15 notes on berkeleydb and added ssl support
-0.1.16 upgraded db, sendmail and removed group 'mail' setup
-0.1.17 upgrade sendmail. 8.12.7 has a serious security bug.
-0.1.18 upgrade sendmail. 8.12.8 has a serious security bug (its like deja vu,
- all over again)
-
-HINT:
-
-Software you need
-=================
-
-Sendmail: http://www.sendmail.org
- Handles sending and receiving of mail by the SMTP protocol
- Latest stable version at time of writing is 8.12.9.
-
-Procmail: http://www.procmail.org
- Our local delivery agent (makes sure mail goes to the correct boxes)
- Latest stable version at time of writing is 3.22
-
-Berkeley DB: http://www.sleepycat.com/download.html
- Sendmail uses this library to store much of it's configuration.
- Latest stable version at time of writing is 4.1.25 although
- requires a patch found at the same location.
-
-Make sure you run md5sum and check the signatures of the packages!
-The recent sendmail trojan was a lesson to us all!
-
-Optional
-========
-
-Mail Clients
-
-Pine: http://www.washington.edu/pine/
- Console based mail client (for for ssh'ing in and reading mail)
-
-Sylpheed Claws: http://sourceforge.net/projects/sylpheed-claws
- GTK+ based email client (when you are at your machine with X running)
-
-
-Why you might need this hint
-============================
-
-Sendmail is a mail server for sending and receiving mail. If you do not have
-a static IP or domain name attached to your machine, you should think again
-before installing sendmail, read the BLFS book for alternatives. If however
-you do need a mail server for receiving mail, this is the LFS hint you need.
-However, if you just wish to send mail locally, don't let this put you off
-installing sendmail as it is an incredibly powerful package which you may
-one day wish to use! Sendmail is not a POP3 or IMAP server by itself.
-
-
-Building the required packages
-==============================
-
-Berkeley Database:
-You may want to build the database with back-wards compatibility, so that you
-can use this functionality with older and unmaintained packages
-(--enable-compat185). Try passing (--help) to see other API's you may build,
-such as java, c++ and tcl. Be warned that if you build Openoffice you may have
-conflicts as it requires an older version of Berkeley-DB. This package takes
-the standard GNUmake environment variables for optimisations and now is
-the best time to set them;
-
-export CFLAGS='-s -O2 -march=i386 -fomit-frame-pointer'
-
-unpack db tarball
-patch -p0 < ../patch.4.1.25.1 # Apply the patch
-cd build_unix
-../dist/configure --prefix=/usr --enable-compat185
-make
-make docdir=/usr/doc/berkeleydb install
-ldconfig
-
-Procmail:
-Procmail requires a Sendmail file to exist in order to compile, so we trick it
-into believing that we have Sendmail installed already by touching the future
-location. Again takes the standard GNUmake environment variables for
-optimisations. Be aware that the -O3 opt kills the procmail initial check, as
-the test program seems to take forever to compile with inlining of functions!
-
-unpack procmail tarball
-touch /usr/sbin/sendmail
-make CFLAGS="$CFLAGS" LOCKINGTEST='/tmp'
-make CFLAGS="$CFLAGS" LOCKINGTEST='/tmp' install
-make CFLAGS="$CFLAGS" LOCKINGTEST='/tmp' install-suid
-
-Unfortunately, I have never been able to get Procmail to work without setting
-run-as-root suid. It needs root privileges to read users config files from
-their home directory. With a different setting, this functionality would be
-lost.
-
-Sendmail:
-
-Sendmail runs on TCP port 25, and by default runs as root. Although Sendmail
-has now gained the respect of the community as being safe to run as root,
-I still do not like having daemons running on open ports as root. So we will
-create the group/user pair 'smmsp':
-
-groupadd -g 18 smmsp
-useradd -g smmsp -G mail -u 18 smmsp
-
-Unlike Procmail and most other programs, which use a text based rc file for
-configuration, sendmail uses preprocessed text files for its compile
-configuration. The same technique is used at run time for incoming
-(sendmail.cf) and outgoing mail (submit.cf). You create an 'mc' file which is
-then processed by the m4 macro processor to create the 'cf' config file.
-Editing a 'cf' file directly is NOT recommended.
-
-After unpacking sendmail, in order to avoid a user.group install which we
-may not be able to accomodate, create the config file with the following
-after setting your CFLAGS to what you desire (leaving them blank is also
-OK, but do not skip the 'sed' script even if they are empty)
-
-chmod a+w devtools/OS/Linux
-cat > devtools/OS/Linux << "EOF"
-define(`confDEPEND_TYPE', `CC-M')
-define(`confSM_OS_HEADER', `sm_os_linux')
-define(`confMANROOT', `/usr/man/man')
-define(`confLIBS', `-ldl')
-define(`confEBINDIR', `/usr/sbin')
-APPENDDEF(`confLIBSEARCH', `crypt nsl')
-define(`confLD', `ld')
-define(`confMTCCOPTS', `-D_REENTRANT')
-define(`confMTLDOPTS', `-lpthread')
-define(`confLDOPTS_SO', `-shared')
-define(`confSONAME',`-soname')
-define(`confOPTIMIZE',`LFSOPTS')
-define(`confMANGRP',`root')
-define(`confMANOWN',`root')
-define(`confSBINGRP',`root')
-define(`confUBINGRP',`root')
-define(`confUBINOWN',`root')
-EOF
-cp devtools/OS/Linux devtools/OS/Linux.orig
-sed -e "s:LFSOPTS:${CFLAGS} \-s:g" devtools/OS/Linux.orig \
- > devtools/OS/Linux
-
-If you wish to use OpenSSL support, then also type this (always use up to
-date releases of OpenSSL!)
-
-cat >> devtools/OS/Linux << "EOF"
-APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS -DHASURANDOMDEV')
-APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto')
-EOF
-
-Now we build some preliminaries:
-
-cd sendmail
-sh Build
-cd ..
-
-Now create the config file 'sendmail.mc' and 'submit.mc'. Read cf/README
-for all the options you can use if you ever wish to modify your setup.
-We may need to update this configuration in the future, so it is a good
-idea to copy over all necessary files into /etc/mail. The sendmail startup
-script will regenerate the config files on startup so unless you want to
-edit the script, place them as shown;
-
-mkdir -p /etc/mail
-cp cf/README /etc/mail
-cp -r cf/m4 /etc/mail
-cp -r cf/ostype /etc/mail
-cp -r cf/domain /etc/mail
-cp -r cf/feature /etc/mail
-cp -r cf/mailer /etc/mail
-cp -r cf/sh /etc/mail
-cat > cf/cf/sendmail.mc << "EOF"
-OSTYPE(linux)
-DOMAIN(generic)
-FEATURE(smrsh)
-FEATURE(`nouucp',`reject')
-FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable')
-FEATURE(`access_db',`hash -T<TMPF> /etc/mail/access')
-FEATURE(`no_default_msa')
-MODIFY_MAILER_FLAGS(`LOCAL', `-S')
-define(`confTRUSTED_USER', `smmsp')
-define(`confRUN_AS_USER', `smmsp:smmsp')
-define(`confCW_FILE', `-o /etc/mail/local-domains')
-MAILER(local)
-MAILER(smtp)
-EOF
-cat > cf/cf/submit.mc << "EOF"
-FEATURE(`msp')
-define(`confCF_VERSION', `Submit')
-define(`__OSTYPE__',`linux')
-define(`confTIME_ZONE', `USE_TZ')
-define(`confTRUSTED_USER', `smmsp')
-define(`confRUN_AS_USER', `smmsp:smmsp')
-EOF
-
-A brief description is that we are fork()'ing the listening sendmail daemon
-to use user smmsp. Berkeley DB support has also been enabled here. For a fuller
-explanation, read your locally stored /etc/mail/README. Sendmail also fork's
-as user smmsp to send mails, this avoids any possible local exploits.
-
-To add a database lookup of known spammer IP addresses, simply add one of the
-following to you sendmail.cf file to the end of the FEATURE section.
-
-FEATURE(`dnsbl', `blackholes.mail-abuse.org', `"Listed on http://mail-abuse.org"')
-FEATURE(`dnsbl', `sbl.spamhaus.org', `"Listed on http://spamhaus.org/SBL"')
-FEATURE(`dnsbl', `relays.visi.com', `"Listed on http://relays.visi.com"')
-
-To test that your IP lookup for blackholes.mail-abuse.org is working, Russell
-Nelson has put together an auto-responder. His instructions are:
-Send mail to nelson-rbl-test at crynwr.com from the server whose block you are
-testing. Expect one reply from crynwr.com with the SMTP conversation. If
-you get another reply from crynwr.com, then your spam filter is broken.
-Please note that the RBL, RSS, and DUL zones are now closed to all but paying
-customers, so don't expect this to work unless you have organised with them
-previously, with $/£. Since I have no need of this service I have never checked
-that it is working correctly... I would appreciate mail with success stories!
-
-We will disable SSL connection support as default, as a lot of MTA's implement
-the protocol incorrectly, but if you are in a situation where SSL connections
-are an absolute necessity, then I refer you to your locally stored
-/etc/mail/README file where you may read the section on 'STARTTLS'. You may
-need to create a 'certs' folder to store certificates.
-
-Now compile the 'cf' files from our 'mc' files
-
-cd cf/cf
-sh Build sendmail.cf
-sh Build submit.cf
-
-Install the setup files and create some needed system directories
-
-mkdir -p /var/spool/mqueue /var/lib/smrsh
-cp sendmail.cf /etc/mail
-cp sendmail.mc /etc/mail
-cp submit.cf /etc/mail
-cp submit.mc /etc/mail
-
-Build it and install!
-
-cd ../../
-sh Build
-sh Build install
-
-The Sendmail restricted shell is what will be executed (in place of /bin/sh)
-in order to process any commands that may appear in a user's .forward file.
-It can only execute a program if it appears in it's command directory. This
-will allow smrsh to execute Procmail and vacation, and nothing else. You
-should never allow it to execute any shell, as it will defeat any security
-advantages gained by using it. Execute the following:
-
-cd /var/lib/smrsh
-ln -s /usr/bin/procmail
-ln -s /usr/bin/vacation
-
-Create the file /etc/mail/aliases as follows. See man 5 aliases for
-an explanation of this file
-
-cat > /etc/mail/aliases << "EOF"
-postmaster: root
-MAILER-DAEMON: root
-EOF
-
-And the file /etc/mail/access. This file is quite powerful.. you should
-read the /etc/mail/README section about it to fully understand it.
-
-cat > /etc/mail/access << "EOF"
-localhost.localdomain RELAY
-localhost RELAY
-127.0.0.1 RELAY
-#example line to block spammers:
-#spammer at aol.com ERROR:"550 spam sucks"
-EOF
-
-Do the next line and also after any change to /etc/mail/access
-
-makemap hash /etc/mail/access < /etc/mail/access
-
-add lines to /etc/mail/local-domains such as
- @<your domain here>
-Or simply create an empty file by
-
-touch /etc/mail/local-domains
-
-At this stage it is important to set the permissions correctly in the /etc/mail
-directory or sendmail will not be able to upgrade or read it's own databases.
-Set the permissions by issuing
-
-touch /etc/mail/aliases.db
-chown -R smmsp.root /etc/mail/
-chmod -R o-wrx /etc/mail
-chmod o+x /etc/mail
-chown -R root.smmsp /var/spool/mqueue
-chmod 770 /var/spool/mqueue
-chown -R root.smmsp /var/spool/clientmqueue
-chmod 770 /var/spool/clientmqueue
-chmod 1777 /var/mail
-
-Now run `sendmail -v -bi` to upgrade the sendmail alias list.
-
-OK, sendmail is now installed and should be working once we run the startup
-script, speaking of which...
-
-cat > /etc/rc.d/init.d/sendmail << "EOF"
-#!/bin/bash
-
-source /etc/sysconfig/rc
-source $rc_functions
-
-case "$1" in
- start)
- echo "Starting sendmail..."
- /usr/bin/m4 /etc/mail/m4/cf.m4 /etc/mail/sendmail.mc \
- > /etc/mail/sendmail.cf
- chmod 444 /etc/mail/sendmail.cf
- /usr/bin/m4 /etc/mail/m4/cf.m4 /etc/mail/submit.mc \
- > /etc/mail/submit.cf
- chmod 444 /etc/mail/submit.cf
- /usr/sbin/makemap hash /etc/mail/access < /etc/mail/access
- /usr/bin/newaliases > /dev/null 2>&1
- /usr/sbin/sendmail -bs -bd -q1m
- /usr/sbin/sendmail -Ac -qf
- evaluate_retval
- ;;
-
- stop)
- echo "Stopping sendmail..."
- killproc sendmail
- ;;
-
- restart)
- $0 stop
- sleep 1
- $0 start
- ;;
-
- status)
- statusproc sendmail
- ;;
-
- *)
- echo "Usage: $0 {start|stop|restart|status}"
- exit 1
- ;;
-esac
-EOF
-chmod 755 /etc/rc.d/init.d/sendmail
-
-When you send or receive an email you can check that sendmail is running as
-smmsp by issuing "ps -u smmsp v". If you intend on using a Firewall, you
-will have to open port 25 up to NEW connections. eg. for iptables
-
-/usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -m state \
- --state NEW -j ACCEPT
-
-BUGFIX:
-sendmail has some incorrectly formatted man pages, so if you experience
-trouble, run this
-
-for A in sendmail/mailq.1 sendmail/newaliases.1 vacation/vacation.1
-do
-/bin/cp -f $A /usr/share/man/man1/ ;
-done
-/bin/cp -f sendmail/aliases.5 /usr/share/man/man5/ ;
-for A in mailstats/mailstats.8 \
- makemap/makemap.8 smrsh/smrsh.8 \
- sendmail/sendmail.8 praliases/praliases.8 \
- editmap/editmap.8
-do
-/bin/cp -f $A /usr/share/man/man8/ ;
-done
-
-ADDITIONAL
-==========
-
-Now we need a mail client program which users can send and read their email
-with. I recommend two; 'pine' for console and 'sylpheed-claws' for GTK+ in
-an X environment.
-
-Pine:
-This will install Pine the mail client for a console. It also has openssl
-support, see the BLFS book for that. Unfortunately the compile is totally
-non-standard and the authors should be ashamed of themselves! You must
-edit the file imap/src/osdep/unix/Makefile (in the slx section) in order
-to add optimisations to the imap build. We will install for shadow password
-support, but PAM support is also available if you replace the 'slx' with
-'lnp'.
-
-./build clean
-./build slx CC="$CC" MAILSPOOL='/var/mail' SSLINCLUDE='/usr/include/openssl' \
- SSLCERTS='/etc/ssl/certs' SSLTYPE=unix DEBUG="$CFLAGS"
-strip pine/pine
-install pine/pine /usr/bin/
-
-Sylpheed Claws:
-You will need GTK+-1.2 for this one. 'GPG made easy' (www.gnupg.org/gpgme.html)
-and GPG are needed for GPG support. The new 'all in one' aspell for spelling
-and of course, OpenSSL for SSL.
-
-./configure --prefix=/usr/X11R6 --enable-aspell --enable-gpgme --enable-openssl
-make
-make install
-
-Happy emailing!
-
-BUGS:
-
-Procmail, despite being suid root, is running as smmsp and is therefore unable
-to read user's .forward files unless their home directories are world readable!
-As a workaround, set the permissions on everyone's home directories to
-`chown <user>.smmsp`. This does not need to be run recursively, but requires
-that the .forward and .procmailrc files be world readble, or also set
-`chown <user>.smmsp`. I would LOVE to hear the real fix for this.
-
-NOTES:
-
-Feedback and patches are most welcome! Consider the 'AUTHOR' field mearly a
-formality for saying 'contact'. This hint is community owned/written and wishes
-to stay that way.
-
-For further reading, I direct you to
-http://www.sendmail.org/faq
-and the numerous books available on sendmail.
Deleted: trunk/PREVIOUS_FORMAT/shadowpasswd_plus.txt
===================================================================
--- trunk/PREVIOUS_FORMAT/shadowpasswd_plus.txt 2005-08-06 18:12:57 UTC (rev 978)
+++ trunk/PREVIOUS_FORMAT/shadowpasswd_plus.txt 2005-08-08 02:55:30 UTC (rev 979)
@@ -1,479 +0,0 @@
-TITLE: Shadow Suite for Linux(tm) - installation, usage, enhancement
-LFS VERSION: 3.0+
-AUTHOR: Jeffrey Allen Neitzel <jan at belvento.org>
-
-SYNOPSIS:
- Do you want to know your system is secured with regard to passwords?
- Do you want to learn more about security?
- Understanding the usage of passwords on your system is a good place
- to start since passwords on UNIX(tm) are analogous to the keys for
- the front door of your home. Shadow Passwords can help to keep these
- keys from falling into the wrong hands.
-
-HINT:
-
-2001-10-09
-
-Table of Contents
- Preface
- Introduction
- *) Two Approaches
- *) Terminology
- Chapter 1
- - Preliminary Information
- *) What is password shadowing?
- *) Am I already using it?
- *) DES vs. MD5 passwords?
- *) Do I want to shadow my password file?
- Chapter 2
- - Installing Shadow-20001016
- *) Installation Commands
- Chapter 3
- - Additional Configuration/Security Steps
- *) How do I add a new user?
- *) /etc/login.defs (configuring the shadow login suite)
- *) Essential Permissions
- Chapter 4
- - Conclusion
- Footnotes
-
-
-==============================================================================
- PREFACE
-==============================================================================
-
-All of the following modifications and suggestions are based on the
-installation commands as they appear in:
-
- Linux From Scratch: Version 3.0 (lfs-3.0)
-
-The suggestions here will apply directly to any LFS System which uses the
-shadow password suite (shadow-20001016) as obtained from:
-ftp://ftp.pld.org.pl/software/shadow/
-
-Please refer to the DISCLAIMER at
-http://hints.linuxfromscratch.org/hints/DISCLAIMER
-
-In addition, the author takes no responsibility for the security of your system.
-These are friendly suggestions, but it should not be forgotten that implementing
-security measures for your site is multifaceted. Password security is only one
-part of that.
-
-I assume you are installing the shadow password suite now. You will need
-super-user (root) privileges to perform many of the system-wide configuration
-activities discussed here. This document assumes you have these privileges.
-Because of this, I must leave you with one final thought, "Think before you
-type."
-
-
-==============================================================================
- INTRODUCTION
-==============================================================================
-
-The primary objective of this document is to complement and extend the LFS BOOK
-in regards to shadow passwords on your LFS System. I will try to detail some
-additional steps to take which can help enhance system security. In doing so,
-I hope the reader finds this to be a valuable extension to the book's methods.
-
-o== Two Approaches ==o
-
-I have tried to split the commands to address both, those individuals who are
-doing the book and reading this document concurrently, and those who are reading
-this after they have already finished the book. To achieve this, the author will
-use the following notations in Chapters 2, 3, and 4:
-
- # Approach 1
- will allow the reader to replace commands for installing Shadow-20001016
- as found in the book with commands listed here.
-
- # Approach 2
- will be primarily for those individuals who have already installed
- Shadow-20001016 previously and now want to check their configuration
- to be sure all is well, upgrade, modify, etc.
-
- # BOTH 1+2
- will apply to both sets of readers.
-
-o== Terminology ==o
-
-I will use the terms password, passphrase, and secret interchangeably. Also,
-rather than use the word "encrypted" to describe the string your password gets
-turned into, I will say "encoded" instead. This is because the password you type
-actually gets encoded using a one way hash function. See crypt(3) for more info.
-I believe the same holds true for MD5-based passwords.
-
-==
-
-I hope to extend on what I have written here as time permits, and I invite the
-reader to contact me to report errors and/or omissions. Of course, all comments
-and questions are welcome.
-
-To begin, I should preface all of the following with the fact that when it
-comes to security and computers there is *always* a balancing act between
-security (paranoia) and convenience, for both system administrators and
-users alike.
-
-Because of this need for compromise and balance, interpretation of security
-requirements differs from site to site. Interpretation of suggested practice
-will usually fall victim to the subjectives inherent in human nature.
-
-On that note, this author approaches security from the PARANOID perspective.
-Reader should balance these suggestions with his/her own need for convenience.
-If the suggestion introduces too much inconvenience relative to added security
-benefit, I invite you to interpret and implement as your needs dictate.
-
-References will be made when necessary to explain more fully about a particular
-topic.
-
-
-==============================================================================
- Chapter 1 - Preliminary Information
-==============================================================================
-
-o== What is password shadowing? ==o
-
-Password shadowing is a useful tool and one part of securing your system. It is
-a tool to allow protecting password information from those who really have no
-need to see it. Since reams of information exist about passwords and computer
-security I won't go on to duplicate any of it here.
-
-In short, shadowing your password file consists of removing the encoded secrets
-from the necessarily world-readable /etc/password file and instead placing them
-into another file which is not world-readable. This other file is normally
-called /etc/shadow on Linux systems.
-
-It is an idea which is not necessarily new and has been implemented in one way
-or another on a great many UNIX systems. The Shadow Suite for Linux is one of
-these tools. It is only a tool, not security salvation.
-
-o== Am I already using it? ==o
-
-Have you already run the `/usr/sbin/pwconv' command? Have you already given
-root a password by running `/usr/bin/passwd root'? If so, the answer is most
-likely, "YES".
-
-I say "most likely" because I feel that you can never be too certain with
-something this important to the integrity of your system. So, on that note,
-please take a moment now to examine the relevant files if you have not done
-this already.
-
-For more information on the following please refer to the relevant man pages
-which would be:
-PASSWD(5) get there with `man 5 passwd' and/or,
-SHADOW(5) get there with `man 5 shadow'.
-
-For each line in /etc/password, you should see something like this:
-
- username:password:uid:gid:comment:home_directory:user_shell
-
-The fields are delimited by colons. Field number 2 is the password field.
-One of the following will be true:
-
- *) password field contains nothing (e.g. username::uid)
-
- This is a sign of danger! DANGER! You have no password. Please stop now
- and give yourself a password.
-
- *) password field contains "x"
-
- If you see an "x" there this normally means that shadow passwords have
- been enabled. In such case, your encoded password has moved to the shadow
- password file (/etc/shadow). If you are the super-user, now might be a
- good time to go ahead and look at what is in this file. Be sure there is
- an entry in /etc/shadow for each user in /etc/password. There are occasions
- where some users in the password file might be missing from the shadow
- file. This is most likely to happen if you have ever added a user with
- the vipw program.
-
- *) password field contains "a_bunch_of_ASCII_characters"
-
- If you see a bunch of ASCII characters instead of an "x", then you are not
- using shadow passwords. The ASCII characters make up the encoded string
- which represents your password.
-
-o== DES vs. MD5 passwords? ==o
-
-There are two different algorithms *commonly* used to encode user passwords.
-One of them uses the crypt function which uses a DES-based algorithm. The
-other method uses a MD5-based algorithm which is substantially better than
-the DES method. There *are* others, but these two are the ones currently
-available on Linux.
-
-Which one am I using?
-You can distinguish one from the other by looking at the encoded password
-string. If it begins with $1$ and is 34 characters long including the $1$,
-this is an MD5-based ciphertext format. DES-based formats are substantially
-shorter, about 13 characters in length if I recall.
-
-o== Do I want to shadow my password file? ==o
-
-Yes, you do! It should be noted, however, that there are apparently some
-situations where you might not want to do this. Since I personally cannot speak
-of these situations I must defer to the experience of others in this regard.
-On the other hand, if your machine is one with user accounts on it (a desktop
-workstation for example) and doesn't mess around with NFS and the like, then
-shadowing your password file certainly can't hurt. In the end of course, it's
-entirely up to you.
-
-Suffice it to say that on any UNIX system passwords are an important part of
-the basic security model and the first step, or front door, into the system.
-If you can protect system integrity in any way by *hiding* these keys, then
-I figure it is a proactive step in the right direction.
-
-
-==============================================================================
- Chapter 2 - Installing Shadow-20001016
-==============================================================================
-
-o== Installation Commands ==o
-
-I have added comments to elaborate where I feel it necessary. Comments are
-denoted below the same as in any Bourne Shell script. A "#" at the beginning
-of a line marks that line as a comment. I have double-spaced between related
-command blocks for legibility and emphasis.
-
-The meaning of "# Approach 1", "# Approach 2", and "# BOTH 1+2" notations is
-detailed above in the Introduction.
-
-############################################################
-# Approach 1
-cd /path/to/your/sources/shadow-20001016
-
-# Begin installation commands.
-cp src/useradd.c src/useradd.c.backup &&
-sed 's/\(.*\) (nflg || \(.*\))\(.*\)/\1\2\3/' \
- src/useradd.c.backup > src/useradd.c &&
-
-# Want md5crypt? This capability is now compiled-in by default.
-./configure --prefix=/usr &&
-make &&
-make install &&
-cd etc &&
-cp limits login.access /etc &&
-
-# The second expression below will enable MD5-based password
-# encoding in your /etc/login.defs file.
-sed 's%/var/spool/mail%/var/mail%
- s%^#MD5_CRYPT_ENAB.*no%MD5_CRYPT_ENAB yes%' login.defs.linux \
- > /etc/login.defs &&
-
-# Move some libs around and make a couple symlinks.
-cd /lib &&
-mv libshadow.a libshadow.la /usr/lib &&
-ln -sf libshadow.so.0 libshadow.so &&
-cd /usr/lib &&
-ln -sf ../../lib/libshadow.so
-
-############################################################
-# Approach 2
-# If you are reading this hint after the shadow password installation
-# and you have performed that installation by-the-lfs-book, then run
-# these commands to turn on MD5 support.
-cp /etc/login.defs /etc/login.defs.working &&
-sed 's%^#MD5_CRYPT_ENAB.*no%MD5_CRYPT_ENAB yes%' /etc/login.defs.working \
- > /etc/login.defs
-
-############################################################
-# BOTH 1+2
-# Make these symlinks if you want vigr . Just a nice addition.
-cd /usr/sbin &&
-ln -sf vipw vigr &&
-cd /usr/share/man/man8 &&
-ln -sf vipw.8 vigr.8
-
-
-==============================================================================
- Chapter 3 - Additional Configuration/Security Steps # BOTH 1+2
-==============================================================================
-
-o== How do I add a new user? ==o
-
-Well, there is more than one way to do this of course, but we want the easiest
-way. Right? First, please note that the relevant man pages are USERADD(8) and
-GROUPADD(8). I mention the man pages because the following example is the
-simplest possible way to do this. This will leave a lot to be desired, and you
-will certainly want to refine the example to suit your needs.
-
-Example: You want to add a new user "joe". He will be in group "users".
- What to do?
-
-Does group "users" already exist on your system? If not, add this new group
-by doing:
-/usr/sbin/groupadd users
-
-Now you can add user "joe" by doing:
-/usr/sbin/useradd -g users joe
-
-Ok, now that this has been done... Can joe really use this account yet? No.
-Why is this? Well, he doesn't have a password yet. The account is currently
-locked. Also, by using the commands exactly as above, his home directory does
-not yet exist on the system.
-
-You can give joe a password by doing:
-/usr/bin/passwd joe
-
-That's all for now. Please refer to USERADD(8) for further info. There are a
-great many additional options you can use. You can also create a shell script
-to automate the procedure so that the results are always consistent. I may
-include an example script here in time.
-
-o== /etc/login.defs (configuring the shadow login suite) ==o
-
-This is a very important configuration file for your system. I highly recommend
-that you take a few moments to familiarize yourself with it. Since it has a
-great many configuration definitions, it is almost required to know exactly
-what is there. Besides, if you have a little time to play around with this file
-it's actually kind of fun! ;o)
-
-Before you change this file, make a backup of it for obvious reasons.
-A good way to get an overview of this file is to simply `less /etc/login.defs'.
-It has comments to describe what each definition does. You can also have a look
-at LOGIN(5), `man 5 login.defs', if you need more info than these comments
-provide.
-
-In time, I will add an example /etc/login.defs file below ([3] /etc/login.defs)
-with further information about what I believe are the best settings to use and
-why.
-
-o== Essential Permissions ==o
-
-If you want to take maximum advantage of password shadowing and add some extra
-security to your system I recommend to take the following steps. This is really
-intended for the paranoid. In my opinion, computer security and paranoia go
-hand-in-hand! Paranoia is good! Let me take this moment and invite you again to
-balance these suggestions with your own needs.
-
-#
-# Restrict permissions on /bin/login and /bin/su .
-# Refer to [1] below for explanation of why.
-#
-# Before restricting su to a privileged group, you must first create this
-# group with groupadd (man 8 groupadd for details) or vigr . For example,
-# replace "admin" below with whatever groupname you chose to use. Then, be
-# sure to add yourself, or whoever this privileged user is, to your newly
-# created "admin" group. Then run the following commands.
-chmod -c 0700 /bin/login &&
-chgrp -c admin /bin/su &&
-chmod -c o-rx /bin/su
-
-#
-# Some other programs that should be restricted.
-# Refer to [2] below for explanation of why.
-#
-# The following will remove group/other execute permissions from these programs.
-# Since only root can effectively use any of these you might as well make them
-# to be 0700 and be done with it. Then, privileged user can su to root and do
-# user administration.
-cd /usr/sbin &&
-chmod -c go-rx chpasswd dpasswd group* grp[cu]* logoutd \
- mkpasswd newusers pw[cu]* user* vipw
-
-#
-#== Exercise for the reader ==#
-#
-# Will you really use any of these programs on a daily basis? If not, you could
-# possibly remove them from the system entirely, put them on a CD, and mount the
-# CD when you need to do user administration. This *is* possible by the way, but
-# you need to weigh the costs/benefits of doing so. It's up to you in the end.
-#
-
-
-==============================================================================
- Chapter 4 - Conclusion
-==============================================================================
-
-After all of this, I assume you want to enable password shadowing... =)
-
-############################################################
-# Approach 1
-If you are still running within chroot on your host system and haven't booted
-your new LFS System yet, then run:
-
-/usr/sbin/pwconv
-
-Then run:
-
-/usr/bin/passwd root
-
-############################################################
-# Approach 2
-Before you run the following command, be absolutely certain that you have
-taken a copy of your currently unshadowed password file, put it somewhere
-safe, and chmod it to 0600 . Better safe than sorry. If something were to
-go foul, recovery is easy. After taking the previous precautionary measure,
-be sure you are root and are logged in on more than one console/terminal.
-
-Then run:
-/usr/sbin/pwconv
-
-On the second, and/or third, terminal(s) you are logged into do some tests
-to be certain that you get the expect results (i.e., you can login). On some
-other terminal try logging into your normal user account. Success? Good!
-Now, try to `su - root' . If you don't see any anomalous behaviour then you
-should be good to go.
-
-If you added passwords to your system before you changed /etc/login.defs to
-allow MD5 support, please note that the old passwords do not get converted
-automatically. The old password strings will still be encoded using the
-DES-based algorithm. To change these old passwords so they will use the
-MD5-based ciphertext format, simply run `/usr/bin/passwd <username>' for
-each username where this is true.
-
-The new encoded string will now be MD5-based. If you want to keep the original
-password for each account run passwd twice for each one. First, change to some
-temporary value, and then change to original.
-
-############################################################
-# BOTH 1+2
-Congratulations! You have done very well indeed! =)
-
-
-==============================================================================
- FOOTNOTES
-==============================================================================
-
-[1] login and su should not be world executable!
-
- login:
- As far as I have ever seen, login is only started by a getty
- or some other root-owned process. Sometimes sshd might be setup
- to use login. Since sshd normally runs as root, or some other
- privileged user, this should not cause any problem.
- No guarantee on that, can someone confirm?
-
- su:
- This program should be tightly restricted. It is suid root.
- Security would dictate that all privileged users who might be
- permitted to use su, should be members of a privileged group
- whose membership consists only of trusted admins.
-
- I always use wheel or admin for this, pick whatever group name
- you want. /etc/login.defs has an avenue to restrict use of su.
- Also, the su program itself has a config file you can opt to
- configure: /etc/suauth .
-
- This file is not created by default. `man 5 suauth' will give
- the details on this file. In short, do look over these
- possibilities for restricting su usage. Until then, removing
- world execute from /bin/su is a good place to start.
-
-
-[2] Change some other modes as an additional safeguard.
-
- There are a whole slew of programs installed as part of the
- shadow-suite into /usr/sbin . These programs should also be tightly
- restricted to admins only. Only root can effectively use any of these
- So, administrator does a su to root, does admin duties, and goes back
- to his/her normal user account.
-
- Note: Some of the programs do give errors if joe user is trying to
- use one of them. If your system permissions in /etc are set
- correctly, joe user won't be able to obtain a lock on any of
- the relevant files in /etc/{passwd,shadow,group,gshadow} .
- Because of this, it makes sense to simply restrict permissions
- on these programs.
-
-
-[3] /etc/login.defs
-
- This will be added soon.
Deleted: trunk/PREVIOUS_FORMAT/shells.txt
===================================================================
--- trunk/PREVIOUS_FORMAT/shells.txt 2005-08-06 18:12:57 UTC (rev 978)
+++ trunk/PREVIOUS_FORMAT/shells.txt 2005-08-08 02:55:30 UTC (rev 979)
@@ -1,346 +0,0 @@
-TITLE: How to install alternative shells on your LFS-system
-LFS VERSION: All
-AUTHOR: Björn Lindberg <d95-bli at nada.kth.se>
-
-SYNOPSIS: A guide on how to install other shells than bash on an
- LFS-system.
-
-HINT:
-
-1. INTRODUCTION
-
-A vanilla LFS only comes with one shell, namely bash (Bourne-again
-shell). There are a lot of reasons why one would like to have
-alternatives. Different shells are good at different things. You might
-want to use one particular shell as your interactive shell, but another
-one for scripting. There are some programs that have their compile
-scripts written with a syntax that requires a certain shells. I will
-give a brief description of each shell, listing some of their strong
-points below.
-
-
-1.1 The Almquist Shell (ash)
-
-This is the shell that most closely tries to mimick the behaviour of
-the original Bourne shell -- and no more. It is therefore Bourne shell
-compliant, while being extraordinarily small and efficient. It is used
-as the /bin/sh shell on NetBSD, who also currently maintains it. There
-are two good reasons why you might want to consider installing ash:
-
-(1) It is small. It's memory footprint is about a third of bigger more
- feature-filled shells, like bash and Korn shell. On a less
- powerful machine it could be installed as /bin/sh, causing all
- common administration scripts, eg. boot scripts to be run with it.
-
-(2) Portability. On Linux systems it is commonplace to begin a script
- with /bin/sh, yet oftentimes bash-specific features will creep in,
- since bash is the Linux standard shell. Those scripts should
- arguably have /bin/bash at the top, because most of them won't run
- as intended on other flavors of UNIX that don't use bash for their
- /bin/sh, like the *BSDs and commercial Unices. Thus, using ash for
- /bin/sh is an extra insurance that your scripts are portable in
- the sense that they will generally work with the interpreter given
- on the first line. this is good.
-
-
-1.2 The Korn Shell (ksh)
-
-Korn shell, like bash, is an improved Bourne shell derivative. It is
-actually more than a shell, designed to be a very high-level
-programming language while still maintaining Bourne shell
-compatibility. Bash has borrowed a lot of the ksh functionality, so
-the syntax is very similar. Korn shell is commonly used for more
-advanced scripting on non-Linux platforms, and since ksh is frequently
-available on commerical Unices, the portability for ksh scripts is
-good. It is also a very good interactive shell, and has some distinct
-features, like co-processes. See http://www.kornshell.com for more info.
-
-
-1.3 The T C Shell (tcsh)
-
-T C shell is the successor of the C shell, a competitor to the Bourne
-shell but with C-like syntax. tcsh thus has a vastly different syntax
-than the Bourne shell derivatives. Although shell afficionados
-consider csh (and by extension tcsh) a bad scripting shell (see
-http://www.faqs.org/faqs/unix-faq/shell/csh-whynot/), it is a very
-nice interactive shell with some unique features, like programmable
-tab completion. Another good reason to have it is that you might
-encounter scripts written in csh or tcsh. Such scripts won't run with
-Bourne shell and compatibles, since the syntax is different. Some
-program sources requires tcsh to build, eq xv (the image viewer), and
-openoffice. See http://www.tcsh.org for more info on tcsh.
-
-
-1.4 The Z shell (zsh)
-
-The Z shell is the most feature-filled (or bloated :-) of our
-shells. It's syntax is mostly similar to the Korn shell, but also
-borrowing elements from the C shell. It strongpoints are as an
-interactive shell, where it incorporates features from all other
-shells, while containing modules with a large variation of
-functionality. As an example, zsh comes with it's built-in ftp-client!
-See http://www.zsh.org for more info.
-
-
-2. INSTALLATION
-
-
-2.1 The Almquist Shell
-
-As mentioned earlier, the most actively maintained ash is the one
-NetBSD are using for their /bin/sh. Most Linux-distros are including
-ash, and they are then typically keeping their sources in sync with
-the NetBSD ones. We will use the Debian sources, since they are a bit
-more Linux-friendly than NetBSD. :-)
-
-It is still a lot of trouble to compile though, because the makefile
-requires pmake, which is a make common on *BSDs. Gnu make won't
-work. The tarballs we'll need, and the places I got them:
-
-ash
- ftp://ftp.debian.org/debian/dists/potato/main/source/shells/\
- ash_0.3.5.orig.tar.gz
-ash-diff
- ftp://ftp.debian.org/debian/dists/potato/main/source/shells/\
- ash_0.3.5-11.diff.gz
-ash-hetios
- ftp://ftp.psychosis.com/linux/linux-router-devel/\
- ash-hetios-0.5.1.diff.gz
-pmake
- ftp://ftp.debian.org/debian/dists/potato/main/source/devel/ \
- pmake_1.45-3.2.tar.gz
-
-We might as well use the Debian pmake, found at the same place. Don't
-hesitate to use your local Debian mirror site instead of the main one.
-
-The ash-hetios patch is a patch from the Linux Router Project that
-enables history support and arrow keys. If you plan on using ash as an
-interactive shell, you would want this patch, and if not, just don't
-apply it.
-
-In the section below I will assume that you do not want to keep pmake
-after using it to build ash. If you want to install pmake on your
-system the procedure will actually be somewhat easier.
-
-Unpack the pmake tarball and issue the following command:
-
- debian/rules
-
-We will need this later:
-
- export PMAKE=<path-to-pmake>
- export PATH=$PATH:$PMAKE
-
-If you want to install pmake on your system, instead do the following:
-
- install -m 755 bmake /usr/bin/pmake
- install -m 755 mkdep /usr/bin/
- install -m 644 make.1 /usr/share/man/man1/pmake.1
- install -m 644 mkdep.1 /usr/share/man/man1/
- install -d -m 755 /usr/share/mk/
- for file in mk/*; do install -m 644 $file /usr/share/; done
-
-Now unpack the ash tarball and apply first the debian diff, and then
-the hetios diff. The hetios diff will not apply cleanly beacuse it was
-made against a slightly different source tree. This is nothing to
-worry about.
-
-We still have to make some small modifications:
-
- mv Makefile Makefile.orig
- sed 's/\(^CPPFLAGS.*$\)/\1 -DHETIO/' Makefile.orig > Makefile
- echo -e "#endif\n" >> hetio.c
- mv arith.y arith.y.orig
- sed 's/\(yyerrok;\)/\/* \1 *\//' arith.y.orig > arith.y
- $PMAKE/pmake -m $PMAKE/mk CFLAGS='-O2' CPPFLAGS='-DBSD \
- -DSMALL -DSHELL -DHETIO -D__COPYRIGHT\(x\)= \
- -D__RCSID\(x\)=' HOST_CPPFLAGS='-DBSD -DSMALL \
- -DSHELL -DHETIO -D__COPYRIGHT\(x\)= \
- -D__RCSID\(x\)=' YACC='bison -y'
-
-Voilà! We now have a binary called sh and a manpage to go with
-it. Install via the following:
-
- install -m 755 sh /bin/ash
- install -m 644 sh.1 /usr/share/man/man1/
- cd /usr/share/man/man1 && ln sh.1 ash.1
-
-If you would like to use ash as /bin/sh, either symlink it or install
-it as sh directly. The manpage is a very good manpage for sh in either
-case.
-
-
-2.2 The Korn Shell
-
-The Korn SHell used to be a commercial closed-source shell. Because of
-this, a free clone was written, pdksh (Public Domain Korn
-Shell). pdksh supposedly has most of the original ksh's functionality,
-but since early 2000 the source code for the original ksh is
-available, so that is what we are going to install here. Note that ksh
-is still under a license though. The following packages are needed:
-
-http://www.research.att.com/~gsf/download/tgz/INIT.2002-06-28.tgz
-http://www.research.att.com/~gsf/download/tgz/ast-ksh.2002-06-28.tgz
-http://www.research.att.com/~gsf/download/tgz/ast-ksh-locale.2002-06-28.tgz
-
-Note that the exact URL may change as a result of updates to the
-source code packages. If the above links don't work you will have to
-go to http://www.research.att.com/sw/download/ and manually download
-the following packages: INIT, ast-ksh and ast-ksh-locale.
-
-ksh is built using AT&T's particular build system. First you will need
-to designate an empty build directory, eg <...>/src/ksh. The rest of
-the install commands should be executed while standing in this
-directory. Unpack the INIT package from this directory. Execute
-
- mkdir lib/package/tgz
-
-and move all three packages to this directory. Now issue
-
- bin/package read
- bin/package make
-
-To install ksh
-
- cp arch/linux.i386/bin/ksh /bin
- cp arch/linux.i386/man/man1/sh.1 /usr/share/man/man1/ksh.1
-
-To install the provided shell functions pushd, popd and dirs, do this
-
- mkdir -p /usr/share/ksh/functions
- cp arch/linux.i386/fun/* /usr/share/ksh/functions
-
-you will then have to set the following environment variable to access
-them, this can be done in one of the startup scripts
-
- export FPATH=/usr/share/ksh/functions
-
-The install management system supposedly will make it easier to
-upgrade ksh to a newer version by the following command
-
- bin/package update source http://www.research.att.com/sw/download
-
-
-2.3 The T C Shell
-
-tcsh is by comparison easy to install. First we need the sources:
-
-ftp://ftp.funet.fi/pub/unix/shells/tcsh/tcsh-6.11.tar.gz
-
-Build the sources
-
- ./configure --prefix=/usr --bindir=/bin --mandir=/usr/share/man
- mv config_f.h config_f.h.orig
- sed '/NLS_CATALOGS/s/undef/define/; /AUTOLOGOUT/s/define/undef/' \
- config_f.h.orig > config_f.h
- make
- make install install.man
-
-That's it! You now have a shiny new tcsh in your /bin directory. If
-you have special considerations you might want to edit the settings in
-config_f.h differently from mine, for instance it is possible to set
-vi editing as default. If you want to play with the programmable tab
-completion feature, have a look at the file complete.tcsh.
-
-
-2.4 The Z Shell
-
-The sources are available for instance here:
-
-ftp://sunsite.dk/pub/unix/shells/zsh/zsh-4.0.4.tar.bz2
-
-Building and installation is straightforward
-
- ./configure --prefix=/usr --bindir=/bin --mandir=/usr/share/man
- make
- make install
-
-This will install, in addition to the shell, the shell modules as well
-as a lot of shell functions. To take advantage of the latter, you need
-to set the following environment variable, and also "autoload" the
-functions you would like to use
-
- fpath=(/usr/share/zsh/4.0.4/functions/)
- autoload zed # example
-
-
-3. Startup files
-
-To learn more about the different shells, I recommend the manpages and
-homepages for the shells, as well as the general web resources listed
-in section 5. I will however say something about startup files, which
-is otherwise often a source of confusion.
-
-Beginning with ash and ksh, all shells (interactive, non-interactive
-and login) will read the file specified in $ENV. A login shell will in
-addition to this first read /etc/profile and .profile. It is common to
-set $ENV from one of those two files with a command such as this
-
- ENV=$HOME/.shrc; export ENV # or
- export ENV=$HOME/.kshrc
-
-To restrict parts of the $ENV file to interactive shells (that will
-not be run for eg shell scripts), something like the following can be
-used
-
- case $- in *i*)
- # interactive commands
- # ...
- esac
-
-A tsch login shell will read the following files
-
- /etc/csh.cshrc
- /etc/csh.login
- ~/.tcshrc, or if not found, ~/.chsrc
- ~/.login
-
-a non-login shell will only read /etc/csh.cshrc and ~/.tcshrc (or
-~/.cshrc). On logout, a login shell will read /etc/csh.logout and
-~/.logout.
-
-A zsh login shell reads the following files
-
- /etc/zshenv
- ~/.zshenv
- /etc/zprofile
- ~/.zprofile
- /etc/zshrc
- ~/.zshrc
- /etc/zlogin
- ~/.zlogin
-
-an interactive (but non-login) shell will read all those but the
-*profile and *login files. A non-interactive shell will not read
-*zshrc. In addition, zsh login shells will also read ~/.zlogout and
-/etc/zlogout on exit.
-
-
-4. Size comparisons
-
-Shell In-memory size (kB) Binary size (kB)
--------------------------------------------
-ash 472 97
-bash 1400 533
-ksh 1212 834
-tcsh 1448 292
-zsh 1472 424
-
-All binaries were stripped. The in-memory size is obtained from the
-RSS column from 'top'. Sizes may vary slightly from system to system
-and also depending on exact shell version. I am actually not certain
-how relevant these figures are, but decided to include them for
-comparison. Another thing to keep in mind is that zsh uses a lot of
-modules that also takes up space, so the total disk space needed are
-higher than the above figure. The total zsh installation uses over 3
-MB.
-
-
-5. Shell resources
-
-http://www.shelldorado.com
-http://www.faqs.org/faqs/unix-faq/shell/shell-differences/
-http://www.faqs.org/faqs/unix-faq/shell/csh-whynot/
-http://www.kornshell.com
-http://www.tcsh.org
-http://www.zsh.org